-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuctionDemo.sol
- Malicious winner can block other users from receiving their bid back when auction ends
#1143
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 12, 2023
141345 marked the issue as duplicate of #364 |
141345 marked the issue as not a duplicate |
141345 marked the issue as duplicate of #1653 |
141345 marked the issue as duplicate of #843 |
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1759 |
alex-ppg marked the issue as partial-50 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Dec 8, 2023
alex-ppg changed the severity to 2 (Med Risk) |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
labels
Dec 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
At the end of the auction, the winner or admin can execute
claimAuction()
.This function transfers NFT to the winner of the auction and iterates over
auctionInfoData[_tokenid]
to refund bids to other users who hadn't managed to win the auction.This behavior poses a security risk. Malicious winner may bid from the address which does not accept NFTs. Since
safeTransferFrom()
will revert,claimAuction()
will revert and it won't be possible for other users to get their bids back.Proof of Concept
Whenever we bid, our address is being added to
auctionInfoData[_tokenid]
:File: AuctionDemo.sol
Whenever auction ends, function
claimAuction()
iterates overauctionInfoData[_tokenid]
and refunds bids to addresses which hadn't won the auction.File: AuctionDemo.sol
If
auctionInfoData[_tokenid][i].bidder == highestBidder
, we transfer NFT to the winner.However, the winner might not accept NFTs, thus
safeTransferFrom()
will revert.Because of that revert, function
claimAuction()
will keep reverting every time we will try to call it.This leads to a huge problem for users who bid, were outbid and didn't call
cancelBid()
orcancelAllBids()
.Functions
cancelBid()
orcancelAllBids()
which allow to cancel (and refund) the bid can only be called, when auction is still in progress. Since auction has ended - it's not possible to call them. The only way to get the refund is by callingclaimAuction()
. However,claimAuction()
reverts. This means, that all bids are stuck in the contract and there's no way to get them back.Tools Used
Manual code review
Recommended Mitigation Steps
Make sure to separate the logic of
claimAuction()
. Much better idea would be to have two separate functions - the first one, which will refund bids to others, and the second one - which will send NFT to the winner. That way, even whensafeTransferFrom()
reverts, other users will be able to get their bids refunded.Assessed type
DoS
The text was updated successfully, but these errors were encountered: