Wrong recipient of the auction bid #1019
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-971
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L112-L114
Vulnerability details
Summary
The recipient of the highest bid in an auction should be the owner of the token, as stated out in the main invariants in the C4 description of the protocol. Instead, the funds are sent to the owner of the auctionDemo contract.
Vulnerability Details
One of the main invariants in the C4 description mentions that the recipient of the funds from the highest bidder in an auction should be the owner of the token:
The highest bidder will receive the token after an auction finishes, the owner of the token will receive the funds and all other participants will get refunded.
This main invariant is broken as the funds are sent to the wrong address. Here, we can see that the funds are instead sent to the owner of the auctionDemo contract by calling the owner() function:
Impact
The wrong address will receive the auction funds and a main invariant is broken.
Tools Used
Manual Review
Recommendations
Change the recipient from owner() to ownerOfToken.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: