Attacker can delay proposal rejection #24
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
M-02
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
Lines of code
https://github.com/code-423n4/2022-12-tessera/blob/f37a11407da2af844bbfe868e1422e3665a5f8e4/src/seaport/modules/OptimisticListingSeaport.sol#L145
Vulnerability details
Impact
In
OptimisticListingSeaport.rejectProposal
, it revert ifproposedListing.collateral < _amount
. An attacker can therefore monitor the mempool, reducing theproposedListing.collateral
to_amount - 1
by frontruning therejectProposal
call and delay the rejection. The attacker may even be able to deny the rejection when the deadline passes.https://github.com/code-423n4/2022-12-tessera/blob/f37a11407da2af844bbfe868e1422e3665a5f8e4/src/seaport/modules/OptimisticListingSeaport.sol#L145
https://github.com/code-423n4/2022-12-tessera/blob/f37a11407da2af844bbfe868e1422e3665a5f8e4/src/seaport/modules/OptimisticListingSeaport.sol#L153
proposedListing.collateral -= _amount;
Proof of Concept
Recommended Mitigation Steps
When
proposedListing.collateral < _amount
, set _amount to proposedListing.collateral and refund the excess.The text was updated successfully, but these errors were encountered: