Users can avoid paying any fees when using ERC20EnabledLooksRareAggregator for Seaport #143
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
M-04
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/proxies/SeaportProxy.sol#L136-L164
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/proxies/SeaportProxy.sol#L232-L252
Vulnerability details
Impact
The
order.price
in the parametertradeData
is not used as the actual token amount sent to the seaport market and also not checked if those are equal when using theERC20EnabledLooksRareAggregator
forSeaportPorxy
with ERC20 tokens.So users can set the order.price to ZERO to avoid paying any fees for ERC20 orders.
Proof of Concept
Test file SeaportUSDCZeroPrice.t.sol, modified from test SeaportProxyERC721USDC.t.sol and annotate with
# diff
.run test:
Tools Used
foundry
Recommended Mitigation Steps
Assert the order price is equal to the token amount of the seaport order when populating parameters.
The text was updated successfully, but these errors were encountered: