Last updated
Was this helpful?
Submitted on Thu Aug 15 2024 22:24:33 GMT-0400 (Atlantic Standard Time) by @NinetyNineCrits for
Report ID: #34565
Report type: Smart Contract
Report severity: High
Target: https://github.com/ThunderFuel/smart-contracts/tree/main/contracts-v1/thunder_exchange
Impacts:
Temporary freezing of NFTs for at least 1 hour
Similar to submission 34496 ("Users cant withdraw their funds for removed assets"), users can not cancel maker-sell-orders to get their NFTs back, once the strategy, on which an order has been placed, has gotten removed (e.g. in case of version upgrades).
However, unlike submission 34496, there are some important ramifications on handling this issue, as the check serves an important role. These ramifications are discussed below.
When a selling maker places an order, it is checked in place_order that they have sent the right amount of the right asset:
Those assets remain in the ThunderExchange contract until the order is filled or canceled. The cancellation only works when an order is removed from a strategy that is still whitelisted:
NFTs (or ERC1155) of selling makers can not retrieve their funds, when a strategy for which they placed an order (and sent the funds in) got removed.
Unlike submission 34496 the validation for the strategy can not be simply removed, as it serves an important role here. So thinking about mitigations I would just like to bring up some ideas
Allow the owner to do force cancellations (which would be done before adding a new contract)
Migrate the existing orders to the storage of the new strategy
Add a new field like was_formerly_whitelisted in the execution manager and fill it when a strategy gets removed. This field would additionally be checked for cancellations (is_whitelisted || was_whitelisted), while executions keep only checking for currently whitelisted strategies.
Not applicable
https://drive.google.com/file/d/1q4pSXHRu7JcNg3Wi1sU188oOzu-P67tn/view?usp=sharing
The given google drive link contains a fully functional test suite containing all the projects contracts. It was build using the fuel rust SDK, using the official docs as starting point
https://docs.fuel.network/docs/sway/testing/testing-with-rust/
https://docs.fuel.network/docs/fuels-rs/getting-started/
It does the following:
deploy and initialize all the projects contracts, including setting up all the references they need to each other
deploy a minimalistic ERC1155 contract that allows arbitrary mints
have the maker (seller) mint 1 token for himself
have the maker place an order with that 1 token, which will be transferred into the exchange contract
have the owner remove the strategy
have the maker try to cancel the order to get his assets back, which fails
The POC is contained in tests/harness.rs and can be run simply with cargo test "cant_cancel_once_support_for_strategy_ceased" as long as the is installed.
