Malicious users can reentrancy and double the bid money in AuctionDemo contract #1770
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134-L143
Vulnerability details
Impact
When
block.timestamp == minter.getAuctionEndTime(_tokenid)
, user can call to both 2 functionclaimAuction()
andcancelBid()
. This one second overlapped issue can lead to malicious users use cross-function reentrancy to get double funds he/she bids. If the fund is big enough, it can drain all the fund in this contract.Proof of Concept
The hack contract will look something like this:
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: