The auction winner can steal funds in auctionDemo contract #1654
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Summary
The highest bidder can call
claimAuction()
and claim their nft. But the status of the bid is never set to false. If the block.timestamp == minter.getAuctionEndTime(_tokenid) they can callcancelAllBids()
and get their nft payment back.Vulnerability Details
The method
claimAuction()
uses SafeTransferFrom to ensure that receiver implements IERC721Receiver. This opens an opportunity for the malicious user to exeucte a method ononERC721Received()
. The status of the bid is not set as false. So a winner can callcancelAllBids()
and claim it's funds and get both the nft and its funds.POC:
POC Test:
Add the exploit contract
Add the below test case in
nextGen.test.js
POC Logs:
Impact
A user can claim its funds as well as the nft by exploiting the
safeTranferFrom()
method.Recommendations
Either update the require statement as below.
or add a check !auctionClaim[_tokenid] in
cancelBid()
andcancelAllBids()
.Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: