SecondSwap
fyamfFinding description and impact
Incorrect validation of the listing type allows bypassing the enforcement of _minPurchaseAmt being within the range of 0 to _amount.
Proof of Concept
A listing can have two types: Single or Partial:
enum ListingType { PARTIAL, SINGLE }
https://github.com/code-423n4/2024-12-secondswap/blob/main/contracts/SecondSwap_Marketplace.sol#L37
For Partial listings, _minPurchaseAmt must be set to ensure buyers cannot purchase less than the specified minimum amount.
However, during the listing of a vesting, _minPurchaseAmt is not validated correctly. Specifically, the following line is implemented improperly:
require( _listingType != ListingType.SINGLE || (_minPurchaseAmt > 0 && _minPurchaseAmt <= _amount), "SS_Marketplace: Minimum Purchase Amount cannot be more than listing amount" );
https://github.com/code-423n4/2024-12-secondswap/blob/main/contracts/SecondSwap_Marketplace.sol#L253
This implementation mistakenly enforces that for Single listings, _minPurchaseAmt must fall within 0 and _amount. Instead, it should validate _minPurchaseAmt for Partial listings. The corrected implementation is as follows:
require( _listingType == ListingType.SINGLE || (_minPurchaseAmt > 0 && _minPurchaseAmt <= _amount), "SS_Marketplace: Minimum Purchase Amount cannot be more than listing amount" );
With this change, the check ensures that _minPurchaseAmt falls within 0 and _amount for Partial listings, as intended.
Recommended mitigation steps
The validation logic should be updated as follows:
require( - _listingType != ListingType.SINGLE || (_minPurchaseAmt > 0 && _minPurchaseAmt <= _amount), + _listingType == ListingType.SINGLE || (_minPurchaseAmt > 0 && _minPurchaseAmt <= _amount), "SS_Marketplace: Minimum Purchase Amount cannot be more than listing amount" );
https://github.com/code-423n4/2024-12-secondswap/blob/main/contracts/SecondSwap_Marketplace.sol#L253