Any bidder can lock all the withdrawals #1213
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Vulnerability Details
Prerequisites:
block.timestamp >= minter.getAuctionEndTime(_tokenid)
)call
Result:
Not enough gas to finish the execution (we still have not payed the winner in the for-loop because the winner is the last with status
true
in theauctionInfoData
array)Impact
No one can withdraw there bids.
No way to recover the funds.
Proof of Concept
Put the contracts below in hardhat/smart-contracts
Put the test file below to
hardhat/tests/fileName.test.js
and runnpx hardhat test test/fileName.test.js
Tools Used
Manual review
Recommended Mitigation Steps
Rewrite the auction so it uses Pull over Push pattern.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: