Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing mechanism to remove/update sell order

0xdimo

Summary

Allowing users to only publish orders, but not to edit them might expose them to risk if the market conditions change.

Vulnerability Details

The protocol exposes a market-like functionality to list and buy ERC20s, which could later be exchanged to claim NFTs.

Each pieces owner, can list some or all of ERC20s in exchange for ETH. That order will remain on the market, until someone buys it. This period would be unknown and during that time few things can happen:

The user might decide to collect the other pieces of the NFT and delist his offer.
The price of the NFT, which the ERC20s are pegged to might increase significantly

During both situations, the seller won't have any option to delist or to change the sell order. His ERC20s will be stuck in the order, waiting for someone to take advantage.

Impact

High, as it poses a big risk on the ERC20s market functionality, which is core to the protocol

Tools Used

Manual review

Recommendations

Implement functionality to adjust/remove sell order.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Sell orders cant be canceled

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.