Trapped ETH inside LooksRareAggregator
cannot be rescued by owner
and may be stolen by attacker
#87
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-277
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L109
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L220
Vulnerability details
Impact
Trapped ETH inside
LooksRareAggregator
cannot be rescued byowner
, as the contract only implementsrescueERC721
andrescueERC1155
, but not an equivalentrescueETH
.As a result, an attacker can steal any trapped ETH simply by calling
execute
on any order and receive the total balance of the contract via the_returnETHIfAny
function at the end of theexecute
method fromLooksRareAggregator
.Proof of Concept
LooksRareAggregator
execute
and successfully fills the order. The contract's balance (consisting of Alice's ETH) will be transferred to BobTools Used
Foundry
Recommended Mitigation Steps
rescueETH
following the other methodsrescueERC721
andrescueERC1155
.receive
function from the contractThe text was updated successfully, but these errors were encountered: