Submission Details
Severity:
Free Token Acquisition Due to Unvalidated Order Price in TokenDivider Contract
Summary
Contract allow users to sell erc20 but it does not have a check for the order price. If user forgot to set the order price, other users can buy it for free.
Vulnerability Details
TokenDivider::sellErc20has an order price argument, which can be set the order price by users. However it does not check the order price if it is zero.
Proof of Code:
Add this to test suite.
function testSellOrderWithPriceZero() public nftDivided {
ERC20Mock erc20Mock = ERC20Mock(tokenDivider.getErc20InfoFromNft(address(erc721Mock)).erc20Address);
vm.startPrank(USER);
erc20Mock.approve(address(tokenDivider), AMOUNT);
tokenDivider.sellErc20(address(erc721Mock), 0, AMOUNT); // USER sell order with price 0
vm.stopPrank();
assertEq(tokenDivider.getBalanceOf(USER, address(erc20Mock)), 0);
assertEq(erc20Mock.balanceOf(address(tokenDivider)), AMOUNT);
vm.startPrank(USER2);
tokenDivider.buyOrder(0, USER); // USER2 buy order with price 0
vm.stopPrank();
assertEq(tokenDivider.getBalanceOf(USER2, address(erc20Mock)), AMOUNT);
assertEq(address(USER2).balance, STARTING_USER_BALANCE);
}
Impact
Other users can buy the order for free.
Tools Used
Manual Review
Recommendations
Add zero check to price in sellErc20function.
if(price == 0){
revert TokenDivider__PriceCantBeZero();
}
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.