-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If ERC721 safeTransferFrom fails in claimAuction, the ether collected by the Auction contract will not be refunded to the bidders #1653
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
c4-submissions
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Nov 13, 2023
141345 marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
Highest quality submission among a set of duplicates
label
Nov 15, 2023
141345 marked the issue as duplicate of #364 |
c4-pre-sort
added
duplicate-364
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Nov 15, 2023
141345 marked the issue as not a duplicate |
141345 marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
Highest quality submission among a set of duplicates
label
Nov 15, 2023
This was referenced Nov 15, 2023
141345 marked the issue as duplicate of #843 |
c4-pre-sort
added
duplicate-843
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Nov 15, 2023
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1759 |
alex-ppg marked the issue as partial-50 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
There are situations that ERC721's safeTransferFrom will fail and upon reviewing claimAuction function, ether stored inside the Auction contract will be affected.
As you can see below, once the auction time expires, and the highest bidder is selected, the auctioned nft will be transferred from the owner to the highest bidder address, and then the ether collected by the Auction contract is supposed to be forwarded to the Auction contract owner for bid winner's ether and for those loser bidders, their ether will be refunded to them.
However, if the safeTransferFrom of nft will fail, claimAuction will revert and the collected ether from the bidders including the winner itself, will got stuck inside the auction contract.
Proof of Concept
Before testing the POC, here is the secret gist link for the setup of foundry test https://gist.github.com/bluenights004/1c5e62a27d050bff4d70d337a4ff974c
Here is the coded POC to show the situation wherein the safeTransferFrom fails because the recipient contract is not capable of receiving nft. In this test, the claimAuction will revert as a result and the balances of ether will be stuck inside the contract. No ether distribution is made to the bidders upon revert.
Result of test:
No changes between the balances of before claim and after claim, as well as nft ownership.
Tools Used
Manual , Foundry
Recommended Mitigation Steps
Create emergency withdraw function so the admin can recover the ether funds and distribute it to the bidders.
Assessed type
ERC721
The text was updated successfully, but these errors were encountered: