Skip to content

dhanjani/solv-protocol-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SolvReentrancy.t.sol
SolvReentrancy.t.sol
 
 
solv_demo.gif
solv_demo.gif
 
 

Repository files navigation

solv-protocol-exploit

Exploit to buy orders on solv such that the seller gets 0 because the amount is sent to the 0x0 address.

Vulnerability Disclosure

Reported to solv by multiple researchers.

Fixed by solv: https://etherscan.io/tx/0xc6002001c0c38045401a2e5627e314941f20824f807ddfd7a0dc783133d743fa

The Vulnerability

  1. An attacker can buy in item for all but 1 available units using buyBuyUnits(..).
  2. _buy() invokes doTransferOut which if transferring to a contract calls onVNFTReceived on the receiving end.
  3. Now the onVNFTReceived callback can invoke_buy() again via buyByAmount(..) or buyByUnits(..) and buy the remaining 1 unit in the item.
  4. This will cause _buy() to cancel the order :
delete sales[sale_.saleId];
  1. This sets sales[sale_.saleId] to 0x.
  2. The seller is paid 0 for the 1 unit (too small) and the rest of the payment goes to the 0x address.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages