Wrong starting price when listing on Seaport for assets that has less than 18 decimals #235
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-15
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L639-L647
Vulnerability details
Impact
According to Astaria's docs:
https://docs.astaria.xyz/docs/protocol-mechanics/loanterms
The liquidation initial ask is specififed in 18 decimals. this is then used as a starting price when the NFT goes under auction on OpenSea. However, if the asset has less than 18 decimals, then the starting price goes wrong to Seaport.
This results in listing the NFT with too high price that makes it unlikely to be sold.
Proof of Concept
The starting price is set to the liquidation initial ask:
listedOrder = s.COLLATERAL_TOKEN.auctionVault( ICollateralToken.AuctionVaultParams({ settlementToken: stack[position].lien.token, collateralId: stack[position].lien.collateralId, maxDuration: auctionWindowMax, startingPrice: stack[0].lien.details.liquidationInitialAsk, endingPrice: 1_000 wei }) );
https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L639-L647
Let's assume the asset is USDC which has 6 decimals:
Tools Used
Manual analysis
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: