DoS on buy() and change() in EthRouter.sol #170
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-280
edited-by-warden
grade-b
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L99-L144
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L254-L293
Vulnerability details
Impact
Calling
buy()
orchange()
from EthRouter.sol could be denied if the transaction is frontrun such that one of the NFTs in the pool is bought or changed. This could happen when a nasty actor deliberately watches the mempool and frontruns a large transaction that involves multiple pools. It could also happen in a high volume trade where the transaction is inadvertently preceded by another user.Proof of Concept
Here is a typical scenario:
buys
to the EthRouter to execute a buy from both pool A and pool B in one transaction.buy()
in the PrivatePool where the NFT has been bought by Alex reverts when it is attempting to transfer the NFT to the caller, i.e. EthRouter:File: PrivatePool.sol#L239-L240
Similarly, calling
change()
could also end up reverting in the following code lines if one of the NFTs no longer sits in the pool.File: PrivatePool.sol#L445-L448
Tools Used
Manual
Recommended Mitigation Steps
Consider implementing
try catch
inbuy()
andchange()
of EthRouter that will gracefully fail but not revert in situations like these and continue to the next iteration. That way, the requests get partially filled to constitute a win-win situation to every party.The text was updated successfully, but these errors were encountered: