Closed code423n4 closed 1 year ago
contested; all pointers are masked against OffsetOrLengthMask on the way in (uint256 is just so the values aren't being redundantly casted by the compiler)
HickupHH3 marked the issue as unsatisfactory: Insufficient proof
Generic comment without providing an explicit reference to the codebase on where int overflow / underflow happens.
Lines of code
https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/helpers/PointerLibraries.sol#L6
Vulnerability details
Impact
This vulnerability allows an attacker to read or write to arbitrary memory locations by passing an out-of-bounds 'ReturndataPointer' value to the functions in the 'ReturndataReaders' and 'MemoryReaders' libraries. This can potentially lead to sensitive information disclosure, unauthorized access to contract state, or even contract destruction.
Proof of Concept
The ReturndataPointer is declared as a uint256 type, which means it is a 256-bit unsigned integer. if there are no checks in place to ensure that the provided 'ReturndataPointer' is within bounds, it is possible for an attacker can call one of the affected functions with a carefully crafted 'ReturndataPointer' value that points to a memory location outside of the expected range. This can be done by calling a function that calls the attacker-controlled contract with a malicious 'ReturndataPointer' value.
Tools Used
vscode, plain reading, quick search
Recommended Mitigation Steps
Verify that the 'ReturndataPointer' value passed to the affected functions is within the expected range before performing any memory operations. If possible, use a memory safe programming language it is a good practice to validate the input to ensure that it meets the expected format, range and size.