The oracle has no restrictions on scores, and an excessively large score can lead to an overflow, which can cause losses for both the seller and the buyer.
Summary
The oracle has no restrictions on scores, and an excessively large score can lead to an overflow, which can cause losses for both the seller and the buyer.
Vulnerability Details
Background:
The basic call sequence for a purchase is: the seller lists items and pays the listing fee during the sell phase, the buyer makes a purchase request and pays the oracleFee during the buy phase, and then the purchase function is called to execute the transaction.
The buyer needs to rely on the oracle's results to complete the purchase.
In the oracle code comments, it is mentioned that scores should have a maximum limit, but this has not been implemented.
An excessively large score can lead to multiple overflows in the code, 1,2,3, causing a revert, which prevents the buyer from purchasing the NFT.
uint256 sum = 0;for (uint256 i = 0; i < data.length; i++) {sum += data[i];}
Impact
Both the seller and the buyer will lose their fees and be unable to complete the transaction. As a result, the protocol functions are almost entirely unusable.
Tools Used
manual
Recommendations
To restrict the maximum score, ensure that the sum and product calculations do not overflow.
Lead Judging Commences
Unbounded score values in `validate` function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.