16 matches found
Upgraded Q -> H from 19 [1657761554720]
Judge has assessed an item in Issue 129 High risk. The relevant finding follows: InfinityExchange.solL326 and InfinityExchange.solL362: When a user pays too much ETH, the additional cost is not reimbursed in contrast to ERC20 transfers, where this is not possible. Consider reimbursing the user li...
Upgraded Q -> M from 270 [1657580410834]
Judge has assessed an item in Issue 270 as Medium risk. The relevant finding follows: 6.L- Admin config ProtocolFee and gasFee missing max amount check which can be used to take fund from user With PROTOCOLFEEBPS 10000 more than 100%, the exchange can steal user WETH who might approve max WETH...
Admin can set arbitrarily high WETH_TRANSFER_GAS_UNITS which is a fee
Lines of code Vulnerability details Impact Users can lose their fund by attack from the admins Poc In the function updateWethTranferGasInfinityExchange.sol there is no limit for setting WETHTRANSFERGASUNITS . As this is a kind of fee paid by from the buyers to the contract By definition of the...
ETH mistakenly sent over with ERC20 based takeOrders and takeMultipleOneOrders calls will be lost
Lines of code Vulnerability details takeOrders and takeMultipleOneOrders are the main user facing functionality of the protocol. Both require currency to be fixed for the call and can have it either as a ERC20 token or ETH. This way, the probability of a user sending over a ETH with the call whos...
NO TIMELOCK ON setProtocolFee() CAN LEAD TO SELLERS LOSING THEIR NFTs
Lines of code Vulnerability details NO TIMELOCK ON setProtocolFee CAN LEAD TO SELLERS LOSING THEIR NFTs In InfinityExchange.sol, there is no timelock on setProtocolFee. This is the fee that is applied in orders, and determines how much the Exchange receives in fee VS how much the seller receives...
Owner cannot transfer ETH balance of the exchange
Lines of code Vulnerability details User called takeOrders and takeMultipleOneOrders functions accumulate native token fees over time. These fees end up being frozen on the contract balance. There is only one way for an owner to transfer them, a rescueETH function, that isn’t able to access ETH...
The owner can set arbitrarly high fees
Lines of code Vulnerability details Impact The owner of InfinityExchange contract can set arbitrarly big fees, and coul stole funds from seller. Proof of Concept When an order is executed the payment and the transfer from buyer to seller and viceversa are done by transferNFTsAndFees function wich...
Overpaying ETH in InfinityExchange
Lines of code Vulnerability details Impact A user of the InfinityExchange contract can accidentally send more ETH than needed without the possibility to get the overpaid amount refunded. Proof of Concept if isMakerSeller && currency == address0 requiremsg.value = totalPrice, 'invalid total price'...
Accumulated ETH fees of InfinityExchange cannot be retrieved
Lines of code Vulnerability details ETH fees accumulated from takeOrders and takeMultipleOneOrders operations are permanently frozen within the contract as there is only one way designed to retrieve them, a rescueETH function, and it will work as intended, not being able to access ETH balance of...
matchOneToManyOrders doesn't consider numItems of the orders
Lines of code Vulnerability details Impact An order can specify a numItems in MakerOrder.constraints0. This number is the min/max number of items the order wants to buy/sell. For example a buy order can provide a list of nfts and say that wants to buy only 3 of them from that list. The function...
rescueETH function doesn't works as expected
Lines of code Vulnerability details Impact The rescueETH function is implemented to collect any unexpected ETH transferred to the infinityExchange.sol contract, But this function will not work as expected. The function is supposed to return the eth from the contract to the specified destination...
InfinityExchange owner can grief with high fees
Lines of code Vulnerability details Impact The owner of the InfinityExchange contract can set any high fee values for PROTOCOLFEEBPS via the InfinityExchange.setProtocolFee function. The fee value should be limited to a maximum of 10000. If set to higher values and due to the usage across functio...
Owner can grief with high gas units
Lines of code Vulnerability details Impact The owner of the InfinityExchange contract can frontrun sellers/buyers e.g InfinityExchange.matchOneToOneOrders, InfinityExchange.matchOneToManyOrders functions and set arbitrarily high gas units with updateWethTranferGas which can either cause an...
rescueEth does not transfer ether in contract
Lines of code Vulnerability details Impact The InfinityStakerrescueETH and InfinityExchangerescueETH payable functions sends msg.value to the destination and not the ether in the contract, so the fees and accidentally transferred ether is not sent to the destination address Proof of Concept...
Rescue ETH at InfinityExchange.sol is incorrectly implemented
Lines of code Vulnerability details Impact Admins are unable to recover any ETH locked in the contract PoC The function rescueETHInfinityExchange.sol is incorrectly implemented. It is using msg.value instead of the balance of the contract function rescueETHaddress destination external payable...
Buyer may not agree on gasCost
Lines of code Vulnerability details Impact Gas cost when matching orders is payed by the buyer. Since buyers don't have control on order execution, they may spend more gas than what they are willing to. Examples: periods of high gasPrice, or if NFTs for some reason consume a extra amount of gas...