RubiconRouter: Offers created through offerWithETH() can be cancelled by anyone #17
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
bghughes
added
the
sponsor confirmed
This was referenced Jun 4, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L383-L409
Vulnerability details
Impact
When a user creates an offer through the offerWithETH function of the RubiconRouter contract, the offer function of the RubiconMarket contract is called, and the RubiconRouter contract address is set to offer.owner in the offer function.
This means that anyone can call the cancelForETH function of the RubiconRouter contract to cancel the offer and get the ether.
Proof of Concept
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L383-L409
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L440-L452
Tools Used
None
Recommended Mitigation Steps
Set the owner of offer_id to msg.sender in offerWithETH function and check it in cancelForETH function
The text was updated successfully, but these errors were encountered: