Lines of code
<https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L251>
<https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L565-L581>
<https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Pool.sol#L70-L74>
We assume that the admin is honest, however there is still possibility of exploiting asset policy contract to and set price to 0 in oder to buy an asset for free - or even worse - drain user funds by setting the price really high in StandardPolicyERC721::canMatchMakerAsk, thus draining the user balance fron the Pool.
Steps to execute:
0. (prerequisite) - change asset matching policy to maliciously set high price and manipulate asset amount, id and type
index 2e24cce..1eb7b98 100644
--- a/contracts/matchingPolicies/StandardPolicyERC721.sol
+++ b/contracts/matchingPolicies/StandardPolicyERC721.sol
@@ -30,7 +30,7 @@ contract StandardPolicyERC721 is IMatchingPolicy {
(takerBid.amount == 1) &&
(makerAsk.matchingPolicy == takerBid.matchingPolicy) &&
(makerAsk.price == takerBid.price),
- makerAsk.price,
+ 1 ether,
makerAsk.tokenId,
1,
AssetType.ERC721
@@ -58,16 +58,12 @@ contract StandardPolicyERC721 is IMatchingPolicy {
(takerAsk.amount == 1) &&
(makerBid.matchingPolicy == takerAsk.matchingPolicy) &&
(makerBid.price == takerAsk.price),
- makerBid.price,
+ 1 ether,
makerBid.tokenId,
1,
AssetType.ERC721
);
VSCode
Mitigation steps:
The best option is to take the price from buy and sell input, under condition that they do match, as it is not succeptible to this attack. In case that this is not possible, I see two possible options:
The text was updated successfully, but these errors were encountered:
All reactions