Lines of code
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/lowLevelCallers/LowLevelERC20Transfer.sol#L46-L57&gt;
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/lowLevelCallers/LowLevelERC20Approve.sol#L20-L31&gt;
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/ERC20EnabledLooksRareAggregator.sol#L35&gt;
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/ERC20EnabledLooksRareAggregator.sol#L42&gt;
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L108&gt;
<https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L245&gt;

Vulnerability details

Impact

Functions _executeERC20DirectTransfer and _executeERC20TransferFrom replicates solmate libraries methods. The problem with this is that these functions does not check existence of code at the token address.

If _executeERC20DirectTransferand _executeERC20TransferFrom are called on a token address that doesn’t have contract in it, it will always return success, bypassing the return value check.

These function affects:

• _pullERC20Tokens, which affects function execute
• _returnERC20TokensIfAny, which affects execute from LooksRareAggregator

POC

The problem is similar to the one reported in OlympusDao contest. Also check [frangio] answer in openzeppelin forum

Mitigations steps

Check contract code length to verify that currency is in fact a contract.

The text was updated successfully, but these errors were encountered:

All reactions