search

sherlock-audit / 2024-08-flayer-judging

2 stars 0 forks source link

Albort - Incorrect Updating of Listing Data in `_mapListings` Function #794

Open sherlock-admin4 opened 1 month ago

sherlock-admin4 commented 1 month ago

Albort

Medium

Incorrect Updating of Listing Data in _mapListings Function

Summary

The function attempts to modify _createListing.listing.checkpoint where _createListing is a memory variable derived from calldata. In Solidity, modifying memory variables does not affect the original calldata, and depending on the struct definitions, this may not correctly update the storage ProtectedListing.

Vulnerability Detail

If the checkpoint is not correctly updated in the storage _protectedListings, subsequent functions relying on accurate checkpoint data (e.g., unlockPrice, getProtectedListingHealth) may produce incorrect results, leading to vulnerabilities like improper debt calculations or incorrect collateral assessments.

Impact

Code Snippet

function _mapListings(CreateListing memory _createListing, uint _tokenIds, uint checkpointIndex) internal returns (uint tokensReceived) { for (uint i; i < _tokenIds; ++i) { // 使用当前检查点更新请求并存储 listing _createListing.listing.checkpoint = _checkpointIndex; _protectedListings[_createListing.collection][_createListing.tokenIds[i]] = _createListing.listing;

    tokensReceived_ += _createListing.listing.tokenTaken;

    emit ListingDebtAdjusted(_createListing.collection, _createListing.tokenIds[i], int(uint(_createListing.listing.tokenTaken)));
}

}

https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L198

Tool used

Manual Review

Recommendation

Directly update the storage struct without attempting to modify a memory copy. Ensure that all necessary fields are correctly set in storage.