Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-OPENSEA-SEAPORT-FINDINGS-ISSUES-133
HistoryJun 03, 2022 - 12:00 a.m.

Integer Overflow in Nonce Possible Via EIP 1271 Compliant Contract

2022-06-0300:00:00
Code4rena
github.com
11
vulnerability
noncemanager
eip 1271
contract
integer overflow
nft
re-entrancy
seaport
invalid offers
proof of concept
visual studio code
mitigation steps
JSON

Lines of code

Vulnerability details

Impact

The current NonceManager (deployed version) does not expect a nonce to go as high to actually trigger an integer overflow and is therefore, unchecked.

However, it is completely possible to have the nonce go as high with EIP 1271 contracts that hold the NFTs in question. For example, if there is a re-entrancy vulnerability in the EIP 1271 cancel function (that increments nonce), and when this vulnerability is chained with Seaport, invalid offers can then become valid.

Proof of Concept

A simple POC can be performed by a contract that calls incrementNonce in a loop upto max uint. To counter the out of gas situation, the loop can break when remaining gas reaches a threshold, and the attack vector can be repeatedly called again until it hits max uint.

The reference implementation of NonceManager does not have this issue, but the production version does.

Tools Used

VIsual Studio Code

Recommended Mitigation Steps

Remove unchecked on line 33

The text was updated successfully, but these errors were encountered:

All reactions

JSON