Closed c4-bot-10 closed 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #142
0xA5DF marked the issue as not a duplicate
0xA5DF changed the severity to QA (Quality Assurance)
0xA5DF marked the issue as grade-c
Impact seems low at best, closing due to low quantity of QAs
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/ocean/Ocean.sol#L510-L524 https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/ocean/Ocean.sol#L634-L645
Vulnerability details
Impact
when the
getBalanceDelta
function returns a negative value forWrapErc721
, and this negative value is used asspecifiedAmount
during the_executeInteraction
function, it will lead to the function always reverting for the_erc721Wrap
, as it expects thespecifiedAmount
always equal to 1.Proof of Concept
It is safe to assume that during
_doMultipleInteractions
interaction, a user can passuint256.max
as thespecifiedAmount
when they want to use the total token amount held in the balance delta.Hence, this statement will pass through
if (interaction.specifiedAmount == GET_BALANCE_DELTA) { specifiedAmount = balanceDeltas.getBalanceDelta(interactionType, specifiedToken)
getBalanceDelta
function (inBalanceDelta.sol
) will use theinteraction type
(in this case isWrapErc721
) which will return negative delta as shown below:However, when the interaction proceeds to
_executeInteraction
(forWrapErc721
) this statement@> if (specifiedAmount != 1) revert INVALID_ERC721_AMOUNT();
will always be true which will revertWrapErc721
almost all the time.Tools Used
Manual
Recommended Mitigation Steps
I don't think this has a specific recommended mitigation, as this solely depends on the protocol. For example;
getBalanceDelta
function (even though it's intended) when the interaction type isWrapErc721
.OR
GET_BALANCE_DELTA
constant which istype(uint256).max
forWrapErc721
OR
@> if (specifiedAmount != 1) revert INVALID_ERC721_AMOUNT();
to@> if (specifiedAmount != -1) revert INVALID_ERC721_AMOUNT();
forWrapErc721
not entirely sure that makes sense.Assessed type
Invalid Validation