Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS on buy() and change() in EthRouter.sol #170

Closed
code423n4 opened this issue Apr 10, 2023 · 2 comments
Closed

DoS on buy() and change() in EthRouter.sol #170

code423n4 opened this issue Apr 10, 2023 · 2 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-280 edited-by-warden grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

code423n4 commented Apr 10, 2023
edited
Loading

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L99-L144
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L254-L293

Vulnerability details

Impact

Calling buy() or change() from EthRouter.sol could be denied if the transaction is frontrun such that one of the NFTs in the pool is bought or changed. This could happen when a nasty actor deliberately watches the mempool and frontruns a large transaction that involves multiple pools. It could also happen in a high volume trade where the transaction is inadvertently preceded by another user.

Proof of Concept

Here is a typical scenario:

  1. Bob wants to buy token Agreements & Disclosures #1, QA Report #2, and Gas Optimizations #3. Token Agreements & Disclosures #1 belongs to pool A. Tokens QA Report #2, and Gas Optimizations #3 belong to pool B.
  2. Bob submits an array of buys to the EthRouter to execute a buy from both pool A and pool B in one transaction.
  3. Alex, upon seeing this in the mempool, frontruns Bob's transaction to buy token Gas Optimizations #3 from pool B.
  4. Bob's transaction is denied because buy() in the PrivatePool where the NFT has been bought by Alex reverts when it is attempting to transfer the NFT to the caller, i.e. EthRouter:

File: PrivatePool.sol#L239-L240

            // transfer the NFT to the caller
            ERC721(nft).safeTransferFrom(address(this), msg.sender, tokenIds[i]);

Similarly, calling change() could also end up reverting in the following code lines if one of the NFTs no longer sits in the pool.

File: PrivatePool.sol#L445-L448

         // transfer the output nfts to the caller
        for (uint256 i = 0; i < outputTokenIds.length; i++) {
            ERC721(nft).safeTransferFrom(address(this), msg.sender, outputTokenIds[i]);
        }

Tools Used

Manual

Recommended Mitigation Steps

Consider implementing try catch in buy() and change() of EthRouter that will gracefully fail but not revert in situations like these and continue to the next iteration. That way, the requests get partially filled to constitute a win-win situation to every party.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 10, 2023
code423n4 added a commit that referenced this issue Apr 10, 2023
@code423n4
RaymondFam issue #170
8aedf3f
@code423n4 code423n4 changed the title Not all prices of the pools will be 18 decimals of accuracy DoS on buy() and change() in EthRouter.sol Apr 10, 2023
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #280

@c4-judge
Copy link
Contributor

c4-judge commented May 2, 2023

GalloDaSballo changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-280 edited-by-warden grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-pre-sort @C4-Staff