possible to bid for tokens that are not for sale #11
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-23
🤖_11_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L646
Vulnerability details
Impact
possible to bid for tokens that are not listed for sale. This is because
setbidtobuy()
does not check for if the propertytoken.sell.isListed
is true when bidding.Proof Of Concept
For a token to be sold, the token owner must call setlListForSell() to set the
price
,denomination
,auto-approve
and theisListed
value which indicates if a token/rental token is now listed on the market. Because the values for all these are provided by the user, a user may callsetlListForSell()
to setprice
,denomination
andauto_approve
but not setisListed
yet or set it to false because rental token owner is not just ready to sell yet but wants to give other buyers in the market an idea of the pricing or for any other reason the token owner sees fit.Now in this case, if this is done, if pricing and denom is set but
isListed
is false, buyers will still be able to bid viasetbidtobuy()
even though the rental token/property is not on the market. This means buyers are bidding for a property that is not for sale.setbidtobuy()
only checks for if thetoken.sell.denom
isd set and equal to demonination provided by the caller/buyer andtoken.sell.price
is lower than or equal to the amount provided by the caller/buyer. It does not check the most important property of thetoken.sell
struct which istoken.sell.isListed
.https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L666-L691
in the snippet above we can see that the logic does not check for if the token is listed or not before adding a new bid to the
token.bids
array.The logic then proceeds to save the modified token struct to storage with the newly added bid. see below.
https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L694-L720
Recommened Mitigation
add an if else statement which reverts if
token.sell.isListed
is equal to false.Assessed type
Context
The text was updated successfully, but these errors were encountered: