Malicious user can perform a permanent DoS to the AuctionDemo::claimAuction
function by consuming all transaction gas
#1029
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Impact
The
AuctionDemo::claimAuction
will become permanently bricked, which means that all non-winning bids that were placed while the auction was active will not be able to be refunded, the Ether from the winning bid will not be able to be sent to the contract owner, and the auction winner will not be able to receive his NFT.Proof of Concept
Let's take the following example:
receive
functionAuctionDemo::claimAuction
function in order to claim the NFT that they just won.receive
function of the malicious bidder contract. And the function will keep on reverting, no matter how many times it gets called.Please note: In this example, the malicious bidder is the first one to place a bid, but this is not strictly necessary. The malicious bid can be placed at any time during the auction, as long as it is not the winning bid (since the Ether from that one gets sent to the contract owner instead of being refunded). The provided example is just the worst-case scenario, where the attacker performs the exploit in the cheapest way possible.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a gas cap to the refund call.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: