Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

malicious rental owner can rob bidders of the currency amounts sent in via older bids. #45

Closed
c4-bot-3 opened this issue Oct 11, 2024 · 3 comments
Closed

malicious rental owner can rob bidders of the currency amounts sent in via older bids. #45

c4-bot-3 opened this issue Oct 11, 2024 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-5 🤖_05_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L708-L709

Vulnerability details

Impact

malicious rental owner can rob bidders of the currency amounts sent in via older bids.

Proof Of Concept

       for (i, item) in token.bids.iter().enumerate() {
           if item.address == info.sender.to_string()
           {
               position = i as i32;
               amount = item.offer.into();
               break;
           }
       }

this old bid is found and position is set to the index value. This means the if poisition == -1 if block does not execute/is skipped but the else block which deletes the older bid is executed

https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L694-L697

        else {
            // update the approval list (remove any for the same spender before adding)
            token.bids.retain(|item| item.address != info.sender);
        }

This is then saved into the token storage and now because position is not equal to -1, money is attempted to be sent back to the bidder as refund for its previous bid. See below

https://github.com/code-423n4/2024-10-coded-estate/blob/97efb35fd3734676f33598e6dff70119e41c7032/contracts/codedestate/src/execute.rs#L700-L710

        if position != -1 && (amount > Uint128::from(0u64)) {
            Ok(Response::new()
            .add_attribute("action", "setbidtobuy")
            .add_attribute("sender", info.sender.clone())
            .add_attribute("token_id", token_id)
            .add_message(BankMsg::Send {
                to_address: info.sender.to_string(),
                amount: vec![Coin {
                    denom: token.sell.denom,
                    amount: amount,
                }],
            }))
        }

This send action will send the currency amount for older bid while the denom is currency B. Like instead of sending back 10 units of currency A for example, it will send back 10 units of currency B. Even though both currencies may not be of the same value!

This can be exploited by a malicious rental owner to accept bids, change currency and rob bidders of their value used in the older bids.

Recommened Mitigation

ensure that the refund is being sent with the correct currency that the old bid was made with, and not the new recently changed to currency.

Assessed type

Context
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 11, 2024
c4-bot-10 added a commit that referenced this issue Oct 11, 2024
@c4-bot-10
adeolu issue #45
f04f482
@c4-bot-13 c4-bot-13 added the 🤖_05_group AI based duplicate group recommendation label Oct 11, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as duplicate of #5

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 15, 2024
@c4-judge
Copy link
Contributor

OpenCoreCH changed the severity to 3 (High Risk)

@c4-judge
Copy link
Contributor

OpenCoreCH marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Oct 15, 2024
@blockchainstar12 blockchainstar12 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-5 🤖_05_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-bot-3 @blockchainstar12 @c4-bot-13