Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bid Amount Sent to Auction Contract Owner in claimAuction Function Instead of NFT Owner #1010

Closed
c4-submissions opened this issue Nov 11, 2023 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-971 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Nov 11, 2023

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L108-L113

Vulnerability details

Impact

The highest bid amount is directed to the auction contract's owner instead of the rightful owner of the NFT.

Vulnerbility Details

The claimAuction function exhibits an issue where the bid amount is erroneously transferred to the owner of the auction contract (owner()) instead of the rightful owner of the auctioned token (ownerOfToken). This issue occurs when the auction winner successfully claims the auction.

Proof of Concept

Find the complete PoC template at https://gist.github.com/zzzuhaibmohd/9bf9d4961472560f1e03ed9a640debd6

for setup run forge init and place the file nextGen.t.sol in test Folder

     function test_BidAmountIsSentWrongOwner() public {
        vm.warp(25 days);

        createCollection("Test Collection 1", 1);

        // 1. Mint a token from collection Id and set to to auction
        minter.mintAndAuction(
            bob, //_recipient
            "Bob the Builder", //_tokenData
            0, //_saltfun_o
            1, //_collectionID
            block.timestamp + 5 days // _auctionEndTime
        );

        uint256 tokenId = 10000000000; // the tokenId of the auctioned NFT

        // 2. Bob provides approval to the auction contract
        vm.prank(bob);
        IERC721(core).approve(address(auction), tokenId);

        // 3. Alice places the bid for tokenId
        vm.prank(alice);
        auction.participateToAuction{value: 2 ether}(tokenId);

        vm.prank(eve);
        auction.participateToAuction{value: 3 ether}(tokenId);

        // 5. The admin calls the claimAuction transaction
        vm.warp(30 days);

        uint bob_balance_before_sale = bob.balance;
        uint auction_owner_balance_before_sale = auction.owner().balance;

        assertEq(core.ownerOf(tokenId), bob);
        auction.claimAuction(tokenId);
        assertEq(core.ownerOf(tokenId), eve);

        // 6. The ISSUE
        //Funds are sent to the auction.owner() instead of bob who is the owner of the NFT
        assertEq(
            auction.owner().balance,
            auction_owner_balance_before_sale +
                auction.returnHighestBid(tokenId)
        );
        assertEq(bob.balance, bob_balance_before_sale);
    }

Tools Used

Foundry

Recommended Mitigation Steps

To fix this issue, the bid amount should be sent to the correct recipient, namely the owner of the auctioned token (ownerOfToken). Below is the modified code snippet highlighting the necessary correction:

The Fix:

function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){
    // the code
    uint256 highestBid = returnHighestBid(_tokenid);
    address ownerOfToken = IERC721(gencore).ownerOf(_tokenid);
    address highestBidder = returnHighestBidder(_tokenid);
    //console.log(auctionInfoData[_tokenid].length);
    for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) {
        if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) {
            IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid);
            -    (bool success, ) = payable(owner()).call{value: highestBid}("");
            +    (bool success, ) = payable(ownerOfToken).call{value: highestBid}("");
            emit ClaimAuction(owner(), _tokenid, success, highestBid);
            //rest of the code

}

Assessed type

Access Control

@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 11, 2023
c4-submissions added a commit that referenced this issue Nov 11, 2023
@code4rena-admin code4rena-admin changed the title Bid Amount Sent to Auction Contract Owner in claimAuction Function Instead of nFT Owner Bid Amount Sent to Auction Contract Owner in claimAuction Function Instead of NFT Owner Nov 12, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #245

@c4-judge c4-judge added duplicate-738 satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-245 labels Dec 5, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added duplicate-971 and removed duplicate-738 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 8, 2023
@c4-judge
Copy link

c4-judge commented Dec 9, 2023

alex-ppg changed the severity to 2 (Med Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue labels Dec 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-971 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Development

No branches or pull requests

4 participants