Malicious users can double claim their bid/s because of a less than or equal comparison in the cancelBid
and cancelAllBids
functions
#1092
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L125
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L135
Vulnerability details
Impact
Some bidders will be able to get a double refund of their deposited eth, while others won't be able to get a refund at all.
Proof of Concept
In the current implementation of the AuctionDemo contract, both the
cancelBid
andcancelAllBids
functions are comparing theblock.timestamp
to theauctionEndTime
using a less than or equal to comparison. This is fine on its own, but because in theclaimAuction
function we are also comparing the same values using greater than or equal to, we have an issue. The issue is that if theblock.timestamp
equals theauctionEndTime
, a malicious user that has placed a bid, can callcancelBid
/cancelAllBids
from their receive function, when they receive their eth refund fromclaimAuction
. That way, they will get back double the amount of their bid, while other legit users will not be able to get a refund at all. As we know, tweaking the block timestamp up a bit in order to satisfy the above condition is definitely within the realm of possibility and can easily happen if the right incentives are in place.A Proof of Concept (PoC) demonstrating a very basic scenario of how this can be exploited is provided bellow.
To get the PoC up and running, follow these steps:
hardhat/smart-contracts
directory, create a new file namedAuctionDemoDoubleRefundee.sol
mine
andtime
utilities from@nomicfoundation/hardhat-toolbox/network-helpers
at the top of thehardhat/test/nextGen.test.js
file like so:NextGen Tests
describe block in thehardhat/test/nextGen.test.js
file:npx hardhat compile
in thehardhat
directorynpx hardhat test
in thehardhat
directoryTools Used
Manual Review, Hardhat
Recommended Mitigation Steps
Remove the less that or equal to operator in both the
cancelBid
andcancelAllBids
functions and replace it with a less than operator.Assessed type
Access Control
The text was updated successfully, but these errors were encountered: