All users who bid after claimAuction
will have their funds stuck in the AuctionDemo contract forever
#1642
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-175
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L57-L61
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Summary
There is no check in
participateToAuction()
to revert ifclaimAuction()
has executed. Which opens a possiblity of users bidding after the auction completion.Vulnerability Details
The check block.timestamp <= minter.getAuctionEndTime(_tokenid) in
participateToAuction()
allow users to call it at block.timestamp. Also, Similar check block.timestamp >= minter.getAuctionEndTime(_tokenid) allow user to callclaimAuction()
. A user can call both methods at block.timestamp == minter.getAuctionEndTime(_tokenid). If the winner has already claimed usingclaimAuction()
, the other users will still be able to callparticipateToAuction()
method at block.timestamp == minter.getAuctionEndTime(_tokenid). Which will lead to their funds getting stuck in the contract forever ascancelBid()
andcancelAllBids()
calls will revert.POC Test:
Add the below test case in
nextGen.test.js
Add Exploit contract
Add this in fixturesDeployment.js file
Logs:
Impact
All the users who bid at block.timestamp == minter.getAuctionEndTime(_tokenid) and after
claimAuction()
execution will have their funds stuck in the AuctionDemo contract forever.Recommendations
Update
claimAuction()
to execute on block.timestamp > minter.getAuctionEndTime(_tokenid) or add the below line inparticipateToAuction()
method.Assessed type
Access Control
The text was updated successfully, but these errors were encountered: