Theft of ETH that was not used for successful execution of orders in non-atomic execution #275
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-241
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
|
Picodes marked the issue as duplicate of #241 |
c4-judge
added
2 (Med Risk)
|
Picodes changed the severity to 2 (Med Risk) |
c4-judge
added
the
satisfactory
|
Picodes marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/f4c90ca149f4aeeac125605a56166297b717201a/contracts/LooksRareAggregator.sol#L51
https://github.com/code-423n4/2022-11-looksrare/blob/f4c90ca149f4aeeac125605a56166297b717201a/contracts/LooksRareAggregator.sol#L109
https://github.com/code-423n4/2022-11-looksrare/blob/f4c90ca149f4aeeac125605a56166297b717201a/contracts/lowLevelCallers/LowLevelETH.sol#L43
https://github.com/code-423n4/2022-11-looksrare/blob/f4c90ca149f4aeeac125605a56166297b717201a/contracts/lowLevelCallers/LowLevelETH.sol#L46
Vulnerability details
Description
There is an
executefunction inLooksRareAggregatorcontract. It refunds any ETH that was unused (for example that left due to the unsuccessful execution of an order) at the end of its execution flow:_returnETHIfAnyfunction is the following:Let's remember the EIP-150 63/64 rule. The 63/64 rule says that call opcode can consume at most 63/64 gas of parent call, in other words, the child call can consume "all but one 64th" of the gas, and parent calls will have at least 1/64 of gas to continue the execution.
So,
_returnETHIfAnycan make a call with gas that is not enough to successfully end the execution of the transfer, but the parent call will still have some gas and can successfully end the execution. As result, the remaining ETH will not be refunded but the execution will succeed.After that, the attacker can withdraw the remaining ETH by calling
executefunction with any valid input and receiving the remaining ETH in the same way that the fair user (actually he is the attacker's target) expected to receive it.The same is applicable for the
_returnETHIfAny()and_returnETHIfAnyWithOneWeiLeft()functions, but they are not used in places of the code where it can lead to some malicious actions.Attack scenario
A fair user calls
executefunction with a nonzero ETH value andisAtomicparameter equals false.Some of the orders fail and a situation described in
Descriptionsection of this document happens ("according to EIP-150 rule ETH that should be refunded to the user will remain on the aggregator contract but the execution of the overall call will succeed"). That can happen if the attacker (for example using MEV logic) front-runs such a transaction and changes the state in an appropriate way (changes some storage slots/executes some orders by himself/makes some of the orders available/etc.). Also, it is possible if an originator is a smart contract and the call of a fallback function fails due to its internal logic.In the next transaction, the attacker calls
executefunction with any valid input (for example buying a cheap, or even fake one, nft) and receives funds that correspond to the fair user, according to the logic of the_returnETHIfAnyfunction.Impact
Theft of ETH that was not used for successful execution of orders in non-atomic execution, with the possibility of forcing a fair user to this scenario.
Please note that
eth_estimateGasfrom web3 json-rpc API, returns gas that isn't enough to finish the returning funds to the recipient. Because of that, many users will use this standard method will suffer from loss of funds.Recommended Mitigation Steps
Add an additional check that the refund ETH call was succeeded:
The text was updated successfully, but these errors were encountered: