Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conduit can be rendered useless #56

Closed
code423n4 opened this issue May 31, 2022 · 2 comments
Closed

Conduit can be rendered useless #56

code423n4 opened this issue May 31, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/conduit/ConduitController.sol#L57

Vulnerability details

Impact

Currently their is no check to see whether initialOwner is set to address(0) while creating new Conduit. The new Conduit would get created but user wont be able to use it.

Proof of Concept

  1. User call createConduit function but accidentally passes address(0) as initialOwner
  2. The conduit gets created and owner is set to address(0)

Recommended Mitigation Steps

Add below check in createConduit function:

require(initialOwner!=address(0);, "Incorrect owner");
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 31, 2022
code423n4 added a commit that referenced this issue May 31, 2022
@code423n4
csanuragjain issue #56
c58b25f
@0age 0age added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jun 2, 2022
@0age
Copy link
Collaborator

0age commented Jun 2, 2022
edited
Loading

Confirmed that there should be a check (indeed have already implemented this change) but should be low-severity as an improperly configured conduit will simply be unusable and can be redeployed

@HardlyDifficult
Copy link
Collaborator

Grouping with the warden's QA report #53

@HardlyDifficult HardlyDifficult added duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 19, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Jun 19, 2022
Open
@0xleastwood 0xleastwood added invalid This doesn't seem right and removed duplicate This issue or pull request already exists labels Jun 24, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Jun 26, 2022
Open
@HardlyDifficult HardlyDifficult added duplicate This issue or pull request already exists and removed invalid This doesn't seem right labels Jun 30, 2022
This was referenced Jul 17, 2022
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HardlyDifficult @0age @0xleastwood @code423n4