Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RubiconMarket._buys will not work for V1 offers due to the reversion in cancel method. #1324

Open
code423n4 opened this issue Apr 13, 2023 · 4 comments
Open

RubiconMarket._buys will not work for V1 offers due to the reversion in cancel method. #1324

code423n4 opened this issue Apr 13, 2023 · 4 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-04-rubicon/blob/511636d889742296a54392875a35e4c0c4727bb7/contracts/RubiconMarket.sol#L1201-L1202

Vulnerability details

Impact

RubiconMarket._buys tries to cancel dust remaining offers, but it fails for V1 offers. So it blocks RubiconMarket._buys.

Proof of Concept

In RubiconMarket._buys, it tries to cancel an offer with dust pay token amount after fulfilling. So it sets dustId so it can pass the RubiconMarket.can_cancel modifier.

        if (
            isActive(id) &&
            offers[id].pay_amt < _dust[address(offers[id].pay_gem)]
        ) {
            dustId = id; //enable current msg.sender to call cancel(id)
            cancel(id);
        }

But when we move into cancel method, there is another validation. RubiconMarket.cancel will call SimpleMarket.cancel, and SimpleMarket.cancel tries to return dust pay token amount to owner.

        _offer.owner == address(0) && msg.sender == _offer.recipient
            ? require(_offer.pay_gem.transfer(_offer.recipient, _offer.pay_amt))
            : require(_offer.pay_gem.transfer(_offer.owner, _offer.pay_amt));

In this case, msg.sender is different from _offer.recipient so SimpleMarket.cancel will treat this as a V2 offer, while it can be a valid V1 offer. So for a V1 offer, it tries to send pay token amount to _offer.owner, and it is address(0) for V1 offers. So it will revert and SimpleMarket.cancel will not work although it passes RubiconMarket.can_cancel modifier. This will block _buy method.

Tools Used

Manual Review

Recommended Mitigation Steps

In SimpleMarket.cancel, we should refund pay token amount to _offer.recipient when _offer.owner is address(0).
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 13, 2023
code423n4 added a commit that referenced this issue Apr 13, 2023
@code423n4
zhuXKET issue #1324
875d650
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #1281

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jun 6, 2023

HickupHH3 changed the severity to 3 (High Risk)

@c4-judge
Copy link
Contributor

c4-judge commented Jun 6, 2023

HickupHH3 marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jun 6, 2023
@HickupHH3 HickupHH3 mentioned this issue Jun 6, 2023
Closed
@c4-judge c4-judge reopened this Jun 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jun 6, 2023

HickupHH3 marked the issue as selected for report

@c4-judge c4-judge added primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report labels Jun 6, 2023
@C4-Staff C4-Staff added the H-01 label Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working H-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-pre-sort @C4-Staff