Open code423n4 opened 1 year ago
0xSorryNotSorry marked the issue as primary issue
The bug report concerns an issue with NFTs that do not support interface lookup. In such cases, a transaction could revert
this is not true. the manifold registry contract already catches and handles such an error and prevents a revert.
outdoteth marked the issue as sponsor disputed
Have considered the risk of an ERC721 not implementing supportsInterface
That would make it a token that is not an ERC721 per the spec: https://eips.ethereum.org/EIPS/eip-721#backwards-compatibility
Am downgrading to QA because an owner could make supportsInterface
revert as a way to prevent certain trades or gief the system
L
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-a
9 Lows A
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L784 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L786
Vulnerability details
Impact
The bug report concerns an issue with NFTs that do not support interface lookup. In such cases, a transaction could revert. Additionally, external NFTs that can make the getRoyaltyLookupAddress(nft) query revert when blocking buy/sell trading. This vulnerability can lead to denial of service, which can significantly impact the users' ability to trade NFTs on the platform.
Proof of Concept
The issue lies in the _getRoyalty function in the code.
the code is used when settling the royalty fee payment
When the NFT does not support interface lookup, the transaction could revert. Furthermore, if external NFTs make the getRoyaltyLookupAddress(nft) query revert intentionally or unintentionally, it could lead to denial of service when trading NFTs.
Another line of code that can revert is
if the lookupAddress is address(0), function call below woudl revert and block the transaction
Tools Used
Manual Review
Recommended Mitigation Steps
The recommended mitigation steps include wrapping the royalty fee query in a try-catch block to avoid denial of service. This will prevent the transaction from reverting if the getRoyaltyLookupAddress(nft) query fails. Additionally, the platform can explore alternatives to prevent the getRoyaltyLookupAddress(nft) query from failing, such as adding support for interface lookup for NFTs that do not currently support it.