heeze - Incorrect index due to not emptying tstore

[sherlock-admin4]

heeze

High

Incorrect index due to not emptying tstore

Summary

An incorrect index of the checkpoint is used when creating a Protected Listing because the tstore opcode is not emptied after the use.

Vulnerability Detail

The tstore opcode is temporary but not emptied after until the end of the transaction. Hence if a user creates multiple protectedListings in the same transaction the same checkpointIndex will be used for all the listings except the first.

POC

• User creates a ProtectedListing the checkpoint is updated with the current checkpoint
• User creates another ProtectedListing in the same transaction leading to the same checkpoint been used for listing 2
• User can continuously do this and all subsequent listings will have the same checkpoint

Impact

The listing checkpoint index is used to calculate the unlock price of a user's NFT, as such this will result in listings with lower price.

Code Snippet

In https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L138

Tool used

Manual Review

Recommendation

Clear the tstore opcode after use/call.