Too much fee charged when Seaport is partially filled #71
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-02
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/proxies/SeaportProxy.sol#L136-L147
Vulnerability details
Impact
When a user fulfills an order using SeaportProxy, fees are charged in the _handleFees function based on orders.price.
According to the Seaport documentation, Seaport allows partial fulfillment of orders, which results in too much fee being charged when an order is partially filled
https://docs.opensea.io/v2.0/reference/seaport-overview#partial-fills
Consider feeBp == 2%
The order on Seaport has a fill status of 0/100 and each item is worth 1 eth.
User A fulfills the order using LooksRareAggregator.execute and sends 102 ETH, where order.price == 100 ETH.
Since the other user fulfilled the order before User A, when User A fulfills the order, the order status is 99/100
Eventually User A buys an item for 1 ETH but pays a fee of 2 ETH.
Proof of Concept
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/proxies/SeaportProxy.sol#L136-L147
Tools Used
None
Recommended Mitigation Steps
Consider charging fees based on the user's actual filled price
The text was updated successfully, but these errors were encountered: