Reentrancy allows the winner to claim an NFT and return his bid. #1369
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L112
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L125
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L105
Vulnerability details
Impact
Due to the poorly implemented timestamp check of
cancelBid(...)
andclaimAuction(...)
, a winner of the auction is able to reenter and obtain an NFT for free. Furthermore, this vulnerability can result in not obtaining funds for the owner of the auction if a sufficient amount of ether is not persistent in the contract.Attack scenario
The vulnerability occurs because of misconfiguration in the timestamp check for
cancelBid(...)
andclaimAuction(...)
. If theblock.timestamp
is equal tominter.getAuctionEndTime(_tokenid)
. The attacker can trigger the following scenario.getAuctionEndTime(...)
onERC721Received
is triggered in attacker contract.cancelBid(...)
As a result, the attacker receives the NFT and his bid.
Proof of Concept
The following foundry test exploits this vulnerability:
The attacker's contract:
Tools Used
Recommended Mitigation Steps
Change the following check:
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: