ReturndataPointer Out of Bounds: A Recipe for Disaster

[code423n4]

Lines of code

https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/helpers/PointerLibraries.sol#L6

Vulnerability details

Impact

This vulnerability allows an attacker to read or write to arbitrary memory locations by passing an out-of-bounds 'ReturndataPointer' value to the functions in the 'ReturndataReaders' and 'MemoryReaders' libraries. This can potentially lead to sensitive information disclosure, unauthorized access to contract state, or even contract destruction.

Proof of Concept

The ReturndataPointer is declared as a uint256 type, which means it is a 256-bit unsigned integer. if there are no checks in place to ensure that the provided 'ReturndataPointer' is within bounds, it is possible for an attacker can call one of the affected functions with a carefully crafted 'ReturndataPointer' value that points to a memory location outside of the expected range. This can be done by calling a function that calls the attacker-controlled contract with a malicious 'ReturndataPointer' value.

Tools Used

vscode, plain reading, quick search

Recommended Mitigation Steps

Verify that the 'ReturndataPointer' value passed to the affected functions is within the expected range before performing any memory operations. If possible, use a memory safe programming language it is a good practice to validate the input to ensure that it meets the expected format, range and size.

[0age]

contested; all pointers are masked against OffsetOrLengthMask on the way in (uint256 is just so the values aren't being redundantly casted by the compiler)

[c4-judge]

HickupHH3 marked the issue as unsatisfactory: Insufficient proof

[HickupHH3]

Generic comment without providing an explicit reference to the codebase on where int overflow / underflow happens.