Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious users can manipulate the bid amount placing higher bids, and cancel their bids before ending the auction #1910

Closed
c4-submissions opened this issue Nov 13, 2023 · 7 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1323 partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134

Vulnerability details

Impact

The existing implementation of AuctionDemo permits malicious users to manipulate the bidding process. These users strategically place counter bids for each highest bid, inflating the NFT price. They then cancel all the bids just before the auction concludes. As a consequence, other bidders are compelled to pay inflated amounts to claim the NFT.

Proof of Concept

Step 1: Malicious user places counter bids to inflate the NFT price
Malicious user participateToAuction(tokenId) with highestBidAmount + incrementAmount1 as msg.value
Malicious user participateToAuction(tokenId) with highestBidAmount + incrementAmount2 as msg.value

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57

Repeats when a user place a new bid.

Step 2: Malicious user cancels all the bids or the highest bid just before concluding the auction
cancelAllBids()

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134

Result: Other bidders need to pay high amounts to claim the NFT due to manipulated bids.

Tools Used

Manual Review

Recommended Mitigation Steps

Prevent users from canceling their bid if they are the highest bidder. This measure compels the highest bidder or any potential malicious user to proceed with claiming the NFT rather than canceling the bid.

Assessed type

Other

@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #962

@c4-judge
Copy link

c4-judge commented Dec 2, 2023

alex-ppg marked the issue as not a duplicate

@c4-judge c4-judge reopened this Dec 2, 2023
@c4-judge
Copy link

c4-judge commented Dec 2, 2023

alex-ppg marked the issue as duplicate of #1784

@c4-judge
Copy link

c4-judge commented Dec 7, 2023

alex-ppg marked the issue as duplicate of #1323

@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-25

@c4-judge c4-judge added partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) satisfactory satisfies C4 submission criteria; eligible for awards and removed partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) labels Dec 8, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Dec 8, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1323 partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Projects
None yet
Development

No branches or pull requests

3 participants