Malicious bidders can re-enter the cancelBid()
function upon refunding and steal ETH.
#1540
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Impact
Malicious bidders can steal ETH twice the amount they bid by exploiting cross-function reentrancy.
Proof of Concept
Consider the following scenario with participants Alice, Bob, and Bob's second account (let's call it Ron) in the auction:
1)Alice, Ron, and Bob bid 1 ETH, 2 ETH, and 3 ETH, respectively.
2)Bob, as the highest bidder, calls claimAuction when block.timestamp == minter.getAuctionEndTime(_tokenId).
3)The
claimAuction
function also refunds the amount to the bidders who lost the auction. Once the winner claims the auction or the function admin calls it.4)During the loop iteration, the amount is refunded to Ron. Ron can then re-enter the
cancelBid
function to cancel the bid as soon as it receives the funds, effectively receiving the funds twice, Ron receives 4 ETH.5)Upon the loop's third iteration, the NFT is sent to the winner, and the function execution finishes.
Link to relevant code - Line 116
Link to relevant code - Line 124
Tools Used
vscode
Recommended Mitigation Steps
Ensure that the
claimAuction
function is called only after the auction has ended.Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: