Details
Summary
Taxes can be transferred to an address without the awareness of that address
Context
In
bid, it calls safeTransferByMarket to transfer the pixel ownership to a new address, and safeTranferByMarket calls _safeTransfer, which calls onERC721Received to new address if it’s a contract address.After transferring the token,
bid continues to set a new price according to the input.Form an Attack
- Attacker deployed a contract with
onERC721Receivedinterface;
- Attacker use that contact to bought a pixel with an extremely high price via
bid;
- On
onERC721Received, it immediately transfer the pixel to the victim;
- The victim have to pay the corresponding tax with that price.
Affected Assets
- contracts/src/TheSpace/TheSpace.sol (commit: cbb2a7f)
Risk Score
Likelihood
Factors | Score | Reason |
Threat Agent Factors | ㅤ | ㅤ |
Skill Level | 2 | advanced user or has programming skills. |
Motive | 2 | possible reward through UBI. |
Opportunity | 1 | need to own a large portion of pixels and pay gas fees. |
Size | 3 | anonymous Internet users. |
Vulnerability Factors | ㅤ | ㅤ |
Ease of Discovery | 1 | require a deep understanding of The Space’s smart contract and mechanisms. |
Ease of Exploit | 3 | can form the attack easily without third-party involves |
Awareness | 3 | public knowledge. |
Impact
Factors | Score | Reason |
Technical Impact Factors | ㅤ | ㅤ |
Loss of Integrity | 1 | N/A |
Loss of Availability | 3 | can damage the economic mechanism. |
Loss of Accountability | 3 | can completely anonymous. |
Business Impact Factors | ㅤ | ㅤ |
Financial Damage | 3 | depends on the $SPACE allowance |
Overall Likelihood: 2.14
Overall Impact: 2.5
Over Risk Score = Impact * Likelihood = 5.35