safeTransferFrom
in AuctionDemo.claimAuction
can be abused to Reentrancy attacks
#1623
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
Impact
calling
safeTransferFrom
inAuctionDemo.claimAuction
contains a reentrancy vulnerability, by abusingsafeTransferFrom
, the malicious bidder can get the token without paying any ETHProof of Concept
To abusing the reentrancy vulnerability, 3 conditions need to be met:
safeTransferFrom
has a callbackAuctionDemo.claimAuction
doesn't have reentrancy protection, and can be called when block.timestamp >= minter.getAuctionEndTime(_tokenid), please note here the comparison is >=AuctionDemo.cancelBid
doesn't have reentrancy protection, and can be called when block.timestamp <= minter.getAuctionEndTime(_tokenid), please note here the comparison is <=Suppose Alice depolys a contract to participate in the auction, and the contract is the highest bidder, and she calls
AuctionDemo.claimAuction
when (block.timestamp == minter.getAuctionEndTime(_tokenid), the function will passrequire check
at AuctionDemo.sol#L105, and then will arrive AuctionDemo.sol#L112, within safeTransferFrom, contract'sonERC721Received
will be calledWithin the
onERC721Received
function, the contract will callAuctionDemo.cancelBid
orAuctionDemo.cancelAllBids
.In
AuctionDemo.cancelBid
, the require will be passed because we're calling when block.timestamp == minter.getAuctionEndTime(_tokenid)after calling
AuctionDemo.cancelBid
, Alice gets her ETH back, and asAuctionDemo.claimAuction
continue, she also gets the auction token.Tools Used
VIM
Recommended Mitigation Steps
add reentrancy protection
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: