Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Race condition at auction end time: User can both participate and claim #1451

Closed
c4-submissions opened this issue Nov 13, 2023 · 5 comments
Closed
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-175 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/a6f2397b68ef2865374c1bf7629349f25e71a44d/smart-contracts/AuctionDemo.sol#L105
https://github.com/code-423n4/2023-10-nextgen/blob/a6f2397b68ef2865374c1bf7629349f25e71a44d/smart-contracts/AuctionDemo.sol#L58

Vulnerability details

Impact

In the AuctionDemo contract, users can bid in an auction until its deadline and then claim the NFT. However, the current code allows users to call both participateToAuction(...) and claimAuction(...) at the auction end time.

This could lead to situations where:

  1. A winner may try to claim the winning NFT, but another user might outbid them.
  2. If a user bids at the last moment, the existing winner might claim the NFT before the new bid is processed.

Proof of Concept

The code snippets below show how auctionEndTime is checked in both functions. As you can see, both functions can be called when timestamp == auctionEndTime.

function participateToAuction(uint256 _tokenid) public payable {
    // @audit Allow when timestamp <= auctionEndTime
    require(msg.value > returnHighestBid(_tokenid) && block.timestamp <= minter.getAuctionEndTime(_tokenid) && minter.getAuctionStatus(_tokenid) == true);
    ...
}

function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){
    // @audit Allow when timestamp >= auctionEndTime
    require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true);
    ...
}

Tools Used

Manual review

Recommended Mitigation Steps

Consider only allowing 1 action (either participate or claim) at auction end time.

Assessed type

Timing

@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1935

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #962

@c4-judge c4-judge reopened this Dec 2, 2023
@c4-judge
Copy link

c4-judge commented Dec 2, 2023

alex-ppg marked the issue as not a duplicate

@c4-judge
Copy link

c4-judge commented Dec 2, 2023

alex-ppg marked the issue as duplicate of #1926

@c4-judge c4-judge added duplicate-175 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) and removed duplicate-1926 labels Dec 4, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-50

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-175 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Projects
None yet
Development

No branches or pull requests

3 participants