The ETH that user participates in the auction may be locked forever in some special scenarios #1603
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-175
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L57-L61
Vulnerability details
Impact
The
auctionDemo
contract's participateToAuction function does not provide good condition verification.When the auction ends, users can still participate. If a user calls the
participateToAuction
function at the auction's end timestamp, the ETH he provided for the bid may be permanently locked in the contract because the NFT may have already been claimed by the winner.Proof of Concept
Let's assume that the timestamp of the end of the auction is exactly equal to the timestamp of a block.
Alice and Bob both want to win the NFT, and they broadcast their transactions at the same time within the last 12 seconds:
claimAuction
function to successfully claim the NFT.The above transactions are completed simultaneously in the last block. At this point, Bob's 2 ETH will be locked in the contract forever!
Because the NFT has been taken by Alice, so Bob's call to the
claimAuction
function will not succeed. And the timestamp of the next block will be greater than the auction end timestamp, so Bob cannot call thecancelBid
function to take his ETH back .Tools Used
Foundry And VsCode
Recommended Mitigation Steps
optimize the
participateToAuction
functionfunction participateToAuction(uint256 _tokenid) public payable { require(msg.value > returnHighestBid(_tokenid) && block.timestamp <= minter.getAuctionEndTime(_tokenid) && minter.getAuctionStatus(_tokenid) == true); + require(auctionClaim[_tokenid] == true, " not allow to participate anymore "); auctionInfoStru memory newBid = auctionInfoStru(msg.sender, msg.value, true); auctionInfoData[_tokenid].push(newBid); }
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: