Closed c4-submissions closed 11 months ago
Flaggin but looks wrong
function validateCreateOrderHash(address targetTokenReceiver, uint256 createOrderHash, bytes memory encodedOrder, IDelegateRegistry.DelegationType tokenType) internal view {
uint256 actualCreateOrderHash = CreateOffererHelpers.calculateOrderHash(targetTokenReceiver, msg.sender, encodedOrder, tokenType);
if (actualCreateOrderHash != createOrderHash) {
revert CreateOffererErrors.CreateOrderHashInvariant(createOrderHash, actualCreateOrderHash);
}
}
Incorrect, these are not real tokens only placeholders used to fulfill Seaport order matching. There is also access control and guards
0xfoobar (sponsor) disputed
GalloDaSballo marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/CreateOfferer.sol#L89
Vulnerability details
Impact
Deposited token of the CreateOfferer may be stolen by malicious attacker.
Proof of Concept
CreateOfferer.transferFrom()
function is as follows.This function is external and due to the lack of
onlySeaport(msg.sender)
modifier, it can be called by anybody. And that includes malicious attacker. Seaport will transfer some deposit token(ERC20, ERC721, ERC1155) into theCreateOfferer
before it callsCreateOfferer.transferFrom()
function. Attacker may monitor mempool against this and can hijack or front-run the normalCreateOfferer.transferFrom()
call with his own malicioustargetTokenReceiver
address as parameter to get delegate token. As a result, the attacker will withdraw original deposit token with this stolen delegate token.Tools Used
Manual Review
Recommended Mitigation Steps
CreateOfferer.transferFrom()
function should be modified as follows.Assessed type
Access Control