Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong starting price when listing on Seaport for assets that has less than 18 decimals #235

Open
code423n4 opened this issue Jan 15, 2023 · 3 comments
Open

Wrong starting price when listing on Seaport for assets that has less than 18 decimals #235

code423n4 opened this issue Jan 15, 2023 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-15 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L639-L647

Vulnerability details

Impact

According to Astaria's docs:
https://docs.astaria.xyz/docs/protocol-mechanics/loanterms

Liquidation initial ask: Should the NFT go into liquidation, the initial price of the auction will be set to this value. Note that this set as a starting point for a dutch auction, and the price will decrease over the liquidation period. This figure is should also be specified in 10^18 format.

The liquidation initial ask is specififed in 18 decimals. this is then used as a starting price when the NFT goes under auction on OpenSea. However, if the asset has less than 18 decimals, then the starting price goes wrong to Seaport.

This results in listing the NFT with too high price that makes it unlikely to be sold.

Proof of Concept

The starting price is set to the liquidation initial ask:

    listedOrder = s.COLLATERAL_TOKEN.auctionVault(
      ICollateralToken.AuctionVaultParams({
        settlementToken: stack[position].lien.token,
        collateralId: stack[position].lien.collateralId,
        maxDuration: auctionWindowMax,
        startingPrice: stack[0].lien.details.liquidationInitialAsk,
        endingPrice: 1_000 wei
      })
    );

https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L639-L647

Let's assume the asset is USDC which has 6 decimals:

  1. Stratigist signs a strategy with liquidationInitialAsk 1000e18.
  2. Following the docs, this means the starting price is supposed to be 1000 USDC
  3. The NFT is being liquidated.
  4. 1000e18 is passed to Seaport along with asset USDC.
  5. Seaport lists the NFT, and the price will be too high as1000e18 will be 1000000000000000 USDC

Tools Used

Manual analysis

Recommended Mitigation Steps

  1. Either fetch the asset's decimals on-chain or add it as a part of the strategy.
  2. Convert liquidationInitialAsk to the asset's decimals before passing it as a starting price.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 15, 2023
code423n4 added a commit that referenced this issue Jan 15, 2023
@code423n4
Koolex issue #235
aaf2484
@c4-sponsor
Copy link

SantiagoGregory marked the issue as sponsor confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 27, 2023
@androolloyd
Copy link

@androolloyd

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 19, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@C4-Staff C4-Staff added selected for report This submission will be included/highlighted in the audit report H-15 labels Feb 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-15 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@androolloyd @code423n4 @c4-judge @c4-sponsor @C4-Staff