OptimisticListingSeaport.propose sets pendingBalances of newly added proposer instead of previous one #12
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-04
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-12-tessera/blob/1e408ebc1c4fdcc72678ea7f21a94d38855ccc0b/src/seaport/modules/OptimisticListingSeaport.sol#L126
Vulnerability details
Impact
In
OptimisticListingSeaport.propose
,pendingBalances
is set to the collateral. The purpose of this is that the proposer of a previous proposal can withdraw his collateral afterwards. However, this is done on the storage variableproposedListing
after the new listing is already set:Because of that, it will actually set
pendingBalances
of the new proposer. Therefore, the old proposer loses his collateral and the new one can make proposals for free.Proof Of Concept
This test fails and
optimistic.pendingBalances(vault, bob)
is equal to_collateral
.Recommended Mitigation Steps
Run
pendingBalances[_vault][proposedListing.proposer] += proposedListing.collateral;
before the_setListing
call, in which case the above PoC no longer works.The text was updated successfully, but these errors were encountered: