Fix DirectTakerExecutor ownership issue

Question

Fix DirectTakerExecutor ownership issue

marktoda opened this issue 2 years ago · 5 comments

Right now the DirectTakerExecutor has an issue where anyone can call execute to take earned funds. I think easy solution is to just have configured whitelisted reactor address

Answer 1 · 2022-12-19T23:04:55.000Z

maybe worth considering more general solution - would be nice if single executor could be reactor agnostic but maybe not possible here

Answer 2 · 2022-12-20T16:49:13.000Z

I think #62 is also a great solution for this

Answer 3 · 2022-12-21T15:28:43.000Z

Right now the DirectTakerExecutor has an issue where anyone can call execute to take earned funds

How? I thought through this and could not see how this is possible

Answer 4 · 2022-12-21T16:46:20.000Z

you are filler
you approve executor
i am bad guy
i call executor.reactorCallback(ResolvedOrder(input: nothing, output: all your tokens to me), taker = you)
i call token.safeTransferFrom(executor, me)

I think this works rn, no?

Answer 5 · 2022-12-21T17:08:09.000Z

I think this works rn, no?

Yes, I think this works. Had not thought to call the reactorCallback() directly.