H-01 MitigationConfirmed

[c4-bot-6]

Lines of code

Vulnerability details

C4 Issue

H-01: All orders can be hijacked to lock rental assets forever by tipping a malicious ERC20

Comments

The Seaport protocol supports “tipping”, so users were able to tip a malicious ERC20 when fulfilling an order by adding them to the considerations array. They could use that to prevent stopping rentals, as they could revert the transaction when the asset was supposed to be "transferred back" (considering they control the fake ERC20).

Mitigation

PR-7: A whitelist was introduced for all tokens (ERC20, ERC721, ERC1155).

• Now rentals can only be created with whitelisted items, so it's not possible to include malicious tokens as neither consideration, nor offer items. "Standard" ERC20 tokens will be added to the whitelist.
• Items are converted via _convertItems(), which extract the corresponding offers and considerations. This is important to check, as those items are the ones later checked for the whitelist. This works as expected.
  • _processPayeeOrderConsideration() now adds the consideration items to the list, so that they can be checked by the whitelist
• Tests were added to check for whitelisted assets on creation

Notes

• ERC20 tokens can still be tipped as consideration items, although only whitelisted ones.

Conclusions

Successful Mitigation

[c4-judge]

gzeon-c4 marked the issue as satisfactory

[c4-judge]

gzeon-c4 marked the issue as confirmed for report