Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User can participate, claim and cancel all his bids in one block #1912

Closed
c4-submissions opened this issue Nov 13, 2023 · 4 comments
Closed
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1323 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L58
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125

Vulnerability details

Bug Description

The auctionDemo smart contract has three functions responsible for the NFT auction. All these functions, participateToAuction, claimAuction, and cancelBid, lack reentrancy checks and can be called when block.timestamp == minter.getAuctionEndTime(), meaning at the same time.

Proof-of-Concept

The participateToAuction, cancelBid, and claimAuction functions can be called in the last second of the auction:

block.timestamp <= minter.getAuctionEndTime(_tokenid)
block.timestamp >= minter.getAuctionEndTime(_tokenid)

Additionally, there are no reentrancy checks in the aforementioned functions, and low-level calls are not checked for success.

Let's consider the following scenario:

Grouping all the aforementioned issues, we have the following scenario:
Preconditions: There are two different auctions for NFT with id 1, the highest bid being 3 ETH, and for NFT with id 2, the highest bid being 5 ETH.

  1. A malicious user participates with a small bid (1 wei) in the auction for NFT id - 1.
  2. Other users also participate in the auction, and the highest bid reaches 3 ETH.
  3. In the last second of the auction, the malicious user rebids for the auction with NFT 1 with a bid of 4 ETH, executes claimAuction and cancelBid in the same transaction. Additionally, other users may also cancelBid in the same block, even after a refund in the claimAuction function.

Impact

The user can obtain the NFT and claim ETH for participating.

Tools Used

Manual

Recommended Mitigation Steps

Consider changing claimAuction as follows:

function claimAuction(
        uint256 _tokenid
    ) public WinnerOrAdminRequired(_tokenid, this.claimAuction.selector) {
        require(
-            block.timestamp >= minter.getAuctionEndTime(_tokenid) &&
+            block.timestamp > minter.getAuctionEndTime(_tokenid) &&
                auctionClaim[_tokenid] == false &&
                minter.getAuctionStatus(_tokenid) == true
        );

		///code
}

Assessed type

Invalid Validation

@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1904

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #962

@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg marked the issue as duplicate of #1323

@c4-judge c4-judge added duplicate-1323 satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-1547 labels Dec 4, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1323 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Development

No branches or pull requests

3 participants