The current NonceManager (deployed version) does not expect a nonce to go as high to actually trigger an integer overflow and is therefore, unchecked.
However, it is completely possible to have the nonce go as high with EIP 1271 contracts that hold the NFTs in question. For example, if there is a re-entrancy vulnerability in the EIP 1271 cancel function (that increments nonce), and when this vulnerability is chained with Seaport, invalid offers can then become valid.
A simple POC can be performed by a contract that calls incrementNonce in a loop upto max uint. To counter the out of gas situation, the loop can break when remaining gas reaches a threshold, and the attack vector can be repeatedly called again until it hits max uint.
The reference implementation of NonceManager does not have this issue, but the production version does.
VIsual Studio Code
Remove unchecked on line 33
The text was updated successfully, but these errors were encountered:
All reactions