Description
Tax transfer via bid
Author
catding
Scope
Smart Contract
Status
EligibleResolvedReward Distributed
Risk Score
5.35
Risk Severity
High
Reward Amount
298,530
Reported Date
June 21, 2022
Bugfix Commits
Categories
Transaction of Reward Distribution
Details
Summary
Taxes can be transferred to an address without the awareness of that address
Context
In bid, it calls safeTransferByMarket to transfer the pixel ownership to a new address, and safeTranferByMarket calls _safeTransfer, which calls onERC721Received to new address if it’s a contract address.
After transferring the token, bid continues to set a new price according to the input.
Form an Attack
- Attacker deployed a contract with
onERC721Receivedinterface; - Attacker use that contact to bought a pixel with an extremely high price via
bid; - On
onERC721Received, it immediately transfer the pixel to the victim; - The victim have to pay the corresponding tax with that price.
Affected Assets
- contracts/src/TheSpace/TheSpace.sol (commit: cbb2a7f)
Risk Score
Likelihood
Factors | Score | Reason |
Threat Agent Factors | ||
Skill Level | 2 | advanced user or has programming skills. |
Motive | 2 | possible reward through UBI. |
Opportunity | 1 | need to own a large portion of pixels and pay gas fees. |
Size | 3 | anonymous Internet users. |
Vulnerability Factors | ||
Ease of Exploit | 3 | can form the attack easily without third-party involves |
Awareness | 3 | public knowledge. |
Impact
Factors | Score | Reason |
Technical Impact Factors | ||
Loss of Integrity | 1 | N/A |
Loss of Availability | 3 | can damage the economic mechanism. |
Loss of Accountability | 3 | can completely anonymous. |
Business Impact Factors | ||
Financial Damage | 3 | depends on the $SPACE allowance |
Overall Likelihood: 2.14
Overall Impact: 2.5
Over Risk Score = Impact * Likelihood = 5.35