AN ATTACKER CAN CREATE A SHORT PUT OPTION ORDER ON AN NFT THAT DOES NOT SUPPORT ERC721 (LIKE CRYPTOPUNK), AND THE USER CAN FULFILL THE ORDER, BUT CANNOT EXERCISE THE OPTION

Lines of code Vulnerability details Impact Blur is kind of NFT marketplace where will somehow attracts high value NFT items like cryptopunk. Therefore assuming the platform will handle cryptopunk NFT is a common thing, and this raise an issue. An attacker can create a short put option on...

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Lines of code Vulnerability details Impact The canMatchMakerAsk and canMatchMakerBid functions in StandardPolicyERC1155.sol will only return 1 as the amount instead of the order.amount value. This value is then used in the executeTokenTransfer call during the execution flow and leads to only 1...

Griefing of execute transaction sender

Lines of code Vulnerability details Description In function execute from BlurExchange contract there is a call of executeTokenTransfer function. The last one contains the following logic: function executeTokenTransfer address collection, address from, address to, uint256 tokenId, uint256 amount,...

ExecutionDelegate can approve arbitrary calling contract

Lines of code Vulnerability details Impact Owner can steal users' funds and tokens. Proof of Concept The owner of ExecutionDelegate can approve any contract to call it, e.g. a malicious contract which can then drain all funds and tokens approved by users to ExecutionDelegate. Users should only...

Incorrect implementation of the MerkleVerifier.sol library

Lines of code Vulnerability details Impact The MerkleVerifier results in an incorrect verification of the Merkle Tree. Description Using a simple test case from and deploying the contracts with MerkleVerifier.sol. We can see that the results differs when attempting to verify the Merkle Tree. Test...

BlurExchage#setBlockRange can cause previously expired order to be unexpectedly valid again

Lines of code Vulnerability details Impact A previously canceled order becomes valid again Proof of Concept BlurExchagesetBlockRange allows the owner to set the block range for which the oracles signature is valid for. If the block range is set to longer, orders that would have been invalid are...

Orders of ERC1155 tokens with different amounts can be matched

Lines of code Vulnerability details Impact Both StandardPolicyERC1155.canMatchMakerBid and StandardPolicyERC1155.canMatchMakerBid return a boolean that ensure the orders parameters match. This boolean is then checked in BlurExchange.canMatchOrders. The problem is that this boolean does not take...

Asset that seller or buyer does not intend to sell or buy can be unexpectedly sold or bought

Lines of code Vulnerability details Impact Calling the execute function further calls the validateSignatures function, which executes if order.order.trader == msg.sender return true; . This means that the user, who calls the execute function, does not need to verify that the corresponding order w...

blockRange should have a minimal value

Lines of code Vulnerability details Impact The blockRange doesn't have any minimal value so owner can call the setBlockRange function to change the blockRange value to a lower value which will automaticaly block the matching of some of the orders that have expirationTime == 0. Proof of Concept Th...

revokeApproval() only work with WETH

Lines of code Vulnerability details Impact User can invoke execute successfully even if revokedApprovalmsg.sender == true Proof of Concept If buyer did invoke revokeApproval it only block matching the orders if paymentToken == WETH but if the paymentToken == address0 the buyer could invoke execut...

Assume that asset type passed from outside is valid

Lines of code Vulnerability details Impact Assume that asset type passed from outside is valid. Proof of Concept Tools Used Code analytics Recommended Mitigation Steps Better way is to case collection address to some interface, use method to obtain type. --- The text was updated successfully, but...

Contract Upgradeable Without Timelock

Lines of code Vulnerability details Vulnerability Details The BlurExchange is an upgradeable smart contract. We found that its upgrade mechanism is not bound to any time delay. In case the owner's private key is leaked or compromized, an attacker can upgrade the contract containing a malicious co...

Transfer reminder of msg.value is bad practice

Lines of code Vulnerability details Impact Transfer reminder of msg.value is bad practice. Can lead to out of gas, reentrancy and so on. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Can create method getReminder and user to call to get all reminders for him. --- The...

The full intention of an order is not signed

Lines of code Vulnerability details Impact Orders might be replayed or executed where not intended. Proof of Concept The signed order specifies only the matching policy, but not the BlurExchange or ExecutionDelegate. This means that the user might have intended an order specifically for this...

Dangerous calls _transferTo function

Lines of code Vulnerability details Impact Dangerous calls transferTo function Proof of Concept transferToaddress,address,address,uint256 contracts/BlurExchange.sol496-515 sends eth to arbitrary user Dangerous calls: - addressto.transferamount contracts/BlurExchange.sol508 Recommended Mitigation...

# Arbitrary send of non protected function may lead into loss of funds

Lines of code Vulnerability details Arbitrary send of non protected function may lead into loss of funds Impact Unprotected call to a function sending Ether to an arbitrary address may lead into loss of funds. Proof Of Concept In BlurExchange.sol, method trasnferTo uses an arbitrary user to send...

Reentrancy

Lines of code Vulnerability details Reentrancy in BlurExchange.executeInput,Input contracts/BlurExchange.sol128-175: External calls: - executeFundsTransfersell.order.trader,buy.order.trader,sell.order.paymentToken,sell.order.fees,price contracts/BlurExchange.sol147-153 -...

USE SAFETRANSFERFROM INSTEAD OF TRANSFERFROM FOR ERC721 TRANSFERS

Lines of code Vulnerability details Even though the function implements transferERC721 function which uses safeTransferFrom, there exists another function - transferERC721Unsafe . If transferERC721Unsafe is called and the recipient is not capable of receiving ERC721, the ERC721 token may be...

Usage return instead revert

Lines of code Vulnerability details Impact Usage return instead revert Proof of Concept Tools Used Recommended Mitigation Steps Use revert with correct error. --- The text was updated successfully, but these errors were encountered: All reactions...

The buyer will lose their funds by "gas limit DoS via unbounded operations"

Lines of code Vulnerability details Impact If the buyer invoke execute he will lose their funds by gas limit DoS via unbounded operations Proof of Concept execute == executeFundsTransfer == transferFees In case, execute is called by the buyer ,and the seller set fees.length == 2^256-1 As we see...

Lack Of A Safety Mechanism For Deducting Selling Fees

Lines of code Vulnerability details Vulnerability Details The transferFees function of the BlurExchange contract calculates and transfers selling fees to multiple fee receivers as shown in L477 - 478 in code snippet 1. The selling fees would be deducted from the selling price. In other words, a...

Direct usage of execute() may leave unintended replayable orders

Lines of code Vulnerability details Impact A user might unexpectedly have his order replayed. Proof of Concept The usage of execute is ambiguous. Either the user attemps to match and execute any two already placed orders, or he has found an order of interest and calls execute with a new order...

CONTRACT DOES NOT SAVE DETAILS ABOUT ORDERS SO AN ATTACKER COULD COME UP WITH THEIR OWN BUY AND SELL ORDER AND EXECUTE IT

Lines of code Vulnerability details Impact Since the contract doesn't store any values other than cancelledOrderes, a malicious attacker can come up with an order for an NFT and executes it. Proof of Concept 1. User puts his NFT on sale for 10ETH approves contract 2. Malicious attacker calls the...

Standard policy price matching is flawed

Lines of code Vulnerability details Impact Already placed orders may be highly unlikely able to be matched and executed. An order has to be created specifically for an already existing order with the intent to match and execute it. This severely impedes the functionality of the exchange, wastes...

Requiring Timelock For Setter Functions

Lines of code Vulnerability details Vulnerability Details We noticed that the following owner-privileged setter functions can update important state variables without a time delay. 1. setExecutionDelegate function of the BlurExchange contract L215 - 222 in code snippet 1 2. setPolicyManager...

The amount of an ERC1155 token should be checked.

Lines of code Vulnerability details Impact For NFT token of type ERC1155, there may be multiple tokens with the same tokenId. Therefore, when processing orders of type ERC1155, it is necessary to check not only whether the tokenId of the NFT for both buyers and sellers are matched, but also the...

A cancelled order can be executed again by the order creator.

Lines of code Vulnerability details Impact A cancelled order can be executed again by the order creator. While validating the signature, it doesn't check any conditions when order.order.trader == msg.sender here so the already cancelled/filled orders can be executed again when the caller increase...

Signature malleability

Lines of code Vulnerability details Impact Signature malleability allows the user to reuse the same signature twice. Which may cause order to be executed twice. Proof of Concept function recover bytes32 digest, uint8 v, bytes32 r, bytes32 s internal pure returns address requirev == 27 || v == 28,...

burnFrom

Lines of code github.com/code-423n4/2022-10-thegraph/blob/main/contracts/token/IGraphTokens.solL12 Vulnerability details POC: Function burnFrom does not decrease the allowance, so that is possible for example: Adam to deplete the balance of Bob if Bob allowance to Adam is at least one token by...

Possible loss of assets for seller through cross-contract re-entrancy

Lines of code Vulnerability details Impact BlurExchange.execute applies a reentrancyGuard modifier, however does not apply the Check-Effect-Interact pattern since cancelledOrFilledsellHash and cancelledOrFilledbuyHash are set to true after the transfers. This presents the risk of a cross-contract...

Passing chain id from outside

Lines of code Vulnerability details Impact Passing chain id from outside. Incorrect chain id can be passed. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Use assembly to obtain current chain id. --- The text was updated successfully, but these errors were encountered:...

_executeTokenTransfer() can silently fail for malicious ERC721 implementations.

Lines of code Vulnerability details Impact execute calls executeTokenTransfer to perform the NFT transfer from seller to buyer. The function assumes correct safeTransferFrom functionality and does not check balances. In case of malicious - or poorly designed pausable ERC721 implementations, this...

Merkle verifier library verifies intermediate inputs

Lines of code Vulnerability details Vulnerability details Description MerkleVerifier provides a set of functions for verification of a Merkle proof by performing an inclusion check of input against a binary tree. This is implemented as consecutively hashing concatenated sibling nodes until a root...

BlurExchange Contract May Not Be Upgradeable

Lines of code Vulnerability details Vulnerability Details The BlurExchange is designed to be an implementation contract supporting an upgradeable feature. However, we found that some contracts define state variables without allocating the reserved storage slots gap which may impede the BlurExchan...

USE OF SOLIDITY VERSION 0.8.14 WHICH HAS KNOWN ISSUES APPLICABLE TO Blur Exchange

Lines of code Vulnerability details Vulnerability details Vulnerability related to ‘Optimizer Bug Regarding Memory Side Effects of Inline Assembly’ ref : Blur Exchange inherits solidity contracts from openzeppelin and these uses inline assembly, and optimization is enabled while compiling...

Payable with no way of taking funds out / using msg.value can lock funds

Lines of code Vulnerability details Impact External execute function may lock funds --- The text was updated successfully, but these errors were encountered: All reactions...

ERC1155's Amount Parameter Manipulation To Steal Buyers' Funds

Lines of code Vulnerability details Vulnerability Details We discovered that a rogue seller i.e., attacker can place an order for selling N amount where N 1 of a specific token id of an ERC-1155 NFT collection. However, when the sell order is fulfilled by a buyer, the attacker would spend only 1...

The execution of an order transfers 1 token regardless of Order.amount

Lines of code Vulnerability details Impact An order can be placed for an arbitrary amount, which is relevant for ERC1155. But when matched and executed only 1 token is transferred. This can lead to problems with accounting for the user, expecting a transfer of Order.amount tokens, potentially wit...

Missing check for address(0)

Lines of code Vulnerability details Impact Anyone can use address0 as a matchingPolicy contract Proof of Concept The Owner can invoke addPolicy with policy == address0 by mistake to the whitelistedPolicies and the malicious users could do bad things with matchingPolicy == address0 Recommended...

Unused slippage params

Lines of code Vulnerability details Impact Unused slippage params. function outboundTransfer in L2GraphTokenGateway both L1 and L2 do not use slippage parameters., making it susceptible to sandwich attacks / MEV. Proof of Concept 'uint256, // unused on L2 uint256, // unused on L2' Tools Used...

BlurExchange#_validateOracleAuthorization does not work as intended for bulk orders

Lines of code Vulnerability details Impact Bulk orders are not correctly signed and don't work as intended Proof of Concept BlurExchange.solL386-L392 else if signatureVersion == SignatureVersion.Bulk / If the signature was a bulk listing the merkle path musted be unpacked before the oracle...

Amount of ERC1155 tokens transferred is always 1.

Lines of code Vulnerability details Impact When a user signs an order to buy multiple ERC1155 tokens the amount of tokens transferred is hardcoded to be 1. This means although they expected to get n number of tokens for the total price of X they only get 1 and pay the total amount of X ETH. Proof...

Critical matching policy logic is unenforced

Lines of code Vulnerability details Impact Malicious order matching. Proof of Concept When being executed two orders are matched using custom matching policies. Certain checks are critical for every order matching. Currently these checks would have to be implemented in the matching policies...

StandardPolicyERC1155.sol doesn't validate the order.amount properly.

Lines of code Vulnerability details Impact StandardPolicyERC1155.sol doesn't validate the order.amount properly. This contract is used to check a policy for matching orders of ERC1155 tokens. But it doesn't check the amount of ERC1155 token properly and traders might lose their funds unexpectedly...

Wrong amount of ERC1155 token result in loss of funds for buyer

Lines of code Vulnerability details Impact In StandardPolicyERC1155 contract, the amount of ERC1155 token always return 1 instead of amount value in Order struct. The result is when ERC1155 orders is matched, buyers will only receive 1 token even they specify amount 1, which means loss of funds f...

execute does not work for ERC1155 tokens orders where amount > 1

Lines of code Vulnerability details Impact StandardPolicyERC1155 functions canMatchMakerBid and canMatchMakerBid always return amount == 1, regardless of the function arguments. This means that calling execute on an agreed order of ERC1155 token with an amount 1 will always transfer amount == 1 o...

Underhanded meaning of expirationTime == 0

Lines of code Vulnerability details Impact The pwner of BlurExchange can reject the rigor of code and fulfill the ambiguity of human expression, forcing a reinterpretation of expirationTime == 0 to "no expiration time at all". Unexpirable orders in the vicissitudes of the crypto markets do not...

[M1] _executeTokenTransfer can succeed without transferring tokens

Lines of code Vulnerability details Impact NFT Tokens may not be transferred in execute PoC During compile time AssetType can be either ERC721 or ERC1155 0 or 1. However, in execution time this value can be more than 1. ​ ​ The internal function executeTokenTransfer will succeed when AssetType 1...

The seller could stoln the Creator Royalties

Lines of code Vulnerability details Impact the seller could set their address to get the Creator Royalties Proof of Concept execute == executeFundsTransfer == transferFees for uint8 i = 0; i fees.length; i++ uint256 fee = price feesi.rate / INVERSEBASISPOINT; transferTopaymentToken, from,...

test

Lines of code http://L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps...