Bidder can DoS claimAuction #1339
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Summary
A bidder can cause a DoS in the
claimAuction
function and preventing the owner from claiming his NFT.Vulnerability Details
claimAuction
function can be called by the highest bidder to claim his NFT and this function is supposed to transfer the NFT to themsg.sender
, pay the previous owner of the NFT and return all the funds to the other bidders, however when trying to refund we usepayable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("")
. This can be exploited because the bidder can be a contract that makes the transaction run out of gas and therefore DoS the function.This also means that the funds are stuck in the contract since there is no way a user can get his money back.
An attacker can perform this attack pretty easy because if he is the first bidder he can send a value close to zero. Also he can front-run another bidder so that the attacker can be the first person (to pay very little).
Proof of Concept
Add this contract in
hardhat/smart-contracts
Add this test to nextGen.test.js:
Also add
time
from@nomicfoundation/hardhat-toolbox/network-helpers
at the top of the test. Like that:In this test we can see how
BidderContract
performs a successful DoS and leaves all the funds locked in theAuctionDemo
contract.Impact
Funds are stucked in the
AuctionDemo
contract, prevents the highest bidder from claiming his NFTTools Used
VS Code, Manual Review, Hardhat
Recommended Mitigation Steps
I would recommend to check if the
msg.sender
is a contract in theparticipateToAuction
function and prevent him from placing a bid.Assessed type
DoS
The text was updated successfully, but these errors were encountered: