Attackers can claim erc1155 tokens without costs

[hats-bug-reporter[bot]]

Github username: @DevPelz Twitter username: Pelz_Dev Submission hash (on-chain): 0x0a8dc280a702a0c8da1997b764f9fdca0a2604de9044b5f7459f30435dea8e8e Severity: high

Description: Description\ Possible vulnerability that allows attackers to claim ERC1155 tokens from the market for free and use to redeemPositions.

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

1. Proof of Concept (PoC) File\ An attacker can call the split function in Router.sol using any random ERC20 token to claim valid market ERC1155 tokens. These tokens can then be used in the redeemPositions function, allowing the attacker to drain funds from the protocol. An attacker can use any arbitrary token as collateral. Relevant code in Router.sol: split function call (line 37) redeemPositions line 143

2. Revised Code File (Optional)\ require statement to ensure the token being used as collateral is valid in the marketplace.

[xyzseer]

collateralToken is used to build the positionId https://github.com/gnosis/conditional-tokens-contracts/blob/master/contracts/CTHelpers.sol#L430 , so it's not possible to merge or split a position using a different collateral

[clesaege]

Yes, if you believe that using a malicious token could lead to stealing/locking other (not the ones using this malicious token) users, please provide a test example.