The Seaport protocol supports “tipping”, so users were able to tip a malicious ERC20 when fulfilling an order by adding them to the considerations array. They could use that to prevent stopping rentals, as they could revert the transaction when the asset was supposed to be "transferred back" (considering they control the fake ERC20).
Mitigation
PR-7: A whitelist was introduced for all tokens (ERC20, ERC721, ERC1155).
Items are converted via _convertItems(), which extract the corresponding offers and considerations. This is important to check, as those items are the ones later checked for the whitelist. This works as expected.
Lines of code
Vulnerability details
C4 Issue
H-01: All orders can be hijacked to lock rental assets forever by tipping a malicious ERC20
Comments
The Seaport protocol supports “tipping”, so users were able to tip a malicious ERC20 when fulfilling an order by adding them to the
considerations
array. They could use that to prevent stopping rentals, as they could revert the transaction when the asset was supposed to be "transferred back" (considering they control the fake ERC20).Mitigation
PR-7: A whitelist was introduced for all tokens (ERC20, ERC721, ERC1155).
_convertItems()
, which extract the corresponding offers and considerations. This is important to check, as those items are the ones later checked for the whitelist. This works as expected._processPayeeOrderConsideration()
now adds the consideration items to the list, so that they can be checked by the whitelistNotes
Conclusions
Successful Mitigation