Exploit to buy orders on solv such that the seller gets 0 because the amount is sent to the 0x0 address.
Reported to solv by multiple researchers.
Fixed by solv: https://etherscan.io/tx/0xc6002001c0c38045401a2e5627e314941f20824f807ddfd7a0dc783133d743fa
- An attacker can buy in item for all but 1 available units using buyBuyUnits(..).
- _buy() invokes doTransferOut which if transferring to a contract calls onVNFTReceived on the receiving end.
- Now the onVNFTReceived callback can invoke_buy() again via buyByAmount(..) or buyByUnits(..) and buy the remaining 1 unit in the item.
- This will cause _buy() to cancel the order :
delete sales[sale_.saleId];
- This sets sales[sale_.saleId] to 0x.
- The seller is paid 0 for the 1 unit (too small) and the rest of the payment goes to the 0x address.
