-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bidder Can Retrieve Bid Amount Twice in claimAuction
#2029
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 13, 2023
141345 marked the issue as duplicate of #2039 |
141345 marked the issue as duplicate of #51 |
141345 marked the issue as not a duplicate |
141345 marked the issue as duplicate of #962 |
c4-judge
added
duplicate-1547
duplicate-1323
and removed
duplicate-962
duplicate-1547
labels
Dec 2, 2023
alex-ppg marked the issue as duplicate of #1323 |
alex-ppg marked the issue as partial-50 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L116-L130
Vulnerability details
Impact
This vulnerability enables a bidder to recover their bid amount twice during the execution of the claimAuction function.
Proof of Concept
A race condition between the claimAuction and cancelBid functions allows a non-winning bidder to claim their bid twice:
require(block.timestamp >= minter.getAuctionEndTime(_tokenid))
.require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
.(bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("")
, can use itsreceive()
function to re-enter thecancelBid
function. This reentrancy can occur within the same block timestamp.cancelBid
and reclaim their bid, effectively receiving their bid amount twice.Tools Used
manual review
Recommended Mitigation Steps
Fix timing checks in
claimAuction
andcancelBid
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: