New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public to all funds escape #277
Comments
Picodes marked the issue as primary issue |
As only stuck funds are at risk, and as the aggregator contract itself is not supposed to handle funds, I don't think this qualify for High Severity |
Picodes changed the severity to 2 (Med Risk) |
Picodes marked the issue as selected for report |
We have decided that any ERC20 tokens sent there accidentally are free for all |
0xhiroshi marked the issue as sponsor disputed |
Keeping the medium severity because the contract implements |
Picodes marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/TokenRescuer.sol#L22
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/TokenRescuer.sol#L34
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L27
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L108
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L109
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L245
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelETH.sol#L43
Vulnerability details
Description
The
LooksRareAggregator
smart contract implements a bunch of functions to escape funds by the contract owner (seerescueETH
,rescueERC20
,rescueERC721
, andrescueERC1155
). In this way, any funds that were accidentally sent to the contract or were locked due to incorrect contract implementation can be returned to the owner. However, locked funds can be rescued by anyone without the owner's permission. This is completely contrary to the idea of having rescue functions.In order to withdraw funds from the contract, a user may just call the
execute
function in theERC20EnabledLooksRareAggregator
withtokenTransfers
that contain the addresses of tokens to be withdrawn. Thus, after the order execution_returnERC20TokensIfAny
and_returnETHIfAny
will be called, and the whole balance of provided ERC20 tokens and Ether will be returned tomsg.sender
.Please note, that means that the owner can be front-ran with
rescue
functions and an attacker will receive funds instead.Impact
Useless of rescue functionality and vulnerability to jamming funds.
Recommended Mitigation Steps
_returnETHIfAny
and_returnERC20TokensIfAny
should return the amount of the token that was deposited.The text was updated successfully, but these errors were encountered: