Auction winner could cause DOS in auctionDemo#claimAuction #1590
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-739
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
auctionDemo#claimAuction
is called by the auction winner or admin when the auction is ended. This function sents NFT token to the winner's address, the winning bid to the previous owner of NFT and refunds all bidders that do not win an auction:At line 112 contract transfers NFT to the winner's address using
ERC721.safeTransferFrom
. However, this call includes theonERC721Received
hook, which would allow an attacker to cause DOS of theclaimAuction
function by simply reverting any call. This would lock all bids inside the auction contract until the attacker would not change the behavior of theonERC721Received
function on its address.Impact
The auction winner could cause permanent DOS on the
auctionDemo#claimAuction
function blocking all bids inside the auction contract. An attacker could turn off DOS, releasing hostage assets at any time, and require redemption for this.Proof of Concept
Next foundry test could show an exploit scenario:
This test requires a
Base.t.sol
file: https://gist.github.com/sashik-eth/accf61913418dddc86d94ff5ae6fe9bdRecommended Mitigation Steps
Consider transferring NFT to the winner's address using the
ERC721.transferFrom
function instead of theERC721.safeTransferFrom
, this would not allow the auction winner to blockclaimAuction
function.Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: