User can participate, claim and cancel all his bids in one block #1912
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L58
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125
Vulnerability details
Bug Description
The
auctionDemo
smart contract has three functions responsible for the NFT auction. All these functions,participateToAuction, claimAuction, and cancelBid
, lack reentrancy checks and can be called whenblock.timestamp == minter.getAuctionEndTime()
, meaning at the same time.Proof-of-Concept
The
participateToAuction, cancelBid, and claimAuction
functions can be called in the last second of the auction:Additionally, there are no reentrancy checks in the aforementioned functions, and low-level calls are not checked for success.
Let's consider the following scenario:
Grouping all the aforementioned issues, we have the following scenario:
Preconditions
: There are two different auctions for NFT with id 1, the highest bid being 3 ETH, and for NFT with id 2, the highest bid being 5 ETH.claimAuction
andcancelBid
in the same transaction. Additionally, other users may alsocancelBid
in the same block, even after a refund in theclaimAuction
function.Impact
The user can obtain the NFT and claim ETH for participating.
Tools Used
Manual
Recommended Mitigation Steps
Consider changing
claimAuction
as follows:Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: