AuctionDemo.claimAuction :: Highest bidder can cause permanent DOS and cannot refund to rest of the bidders. #1167
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-739
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
Impact
Severity : High (loss of rest bidder funds)
likelihood : medium (the highest bidder should be a contract)
Proof of Concept
When Auction ends, the highest bidder can claim the nft, but being a contractas highest bidder can resfuse to implement
onERC721Received
fallback, can cause DOS. So the owner of token will not get his ether. And there's no way to refund the bidders if this attack is executed, since you cannot cancel bids after auction ends.Here's he exact steps to execute this attack:
minter.mintAndAuction()
which airdrops the token to recipient and created auction status to true.claimAuction
will always revert. And the owner of that tokenId it airdropped to can also refust to accept the ether, by beibng a contract (low likelihood).cancelBid
functions because its past the endTime, and now the ether is stuck.Tools Used
Manual review & foundry testing
Recommended Mitigation Steps
In
AuctionDemo.participateToAuction
, use transfer instead of safeTrnafer. Th attacker can afford to lose if doesn't implement the ERC721 receiving standard.Assessed type
ERC721
The text was updated successfully, but these errors were encountered: