Improper time checks could allow attacker to take money from other auction users #35
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/71d055b623b0d027886f1799739b7f785b5bc7cd/smart-contracts/AuctionDemo.sol#L116
https://github.com/code-423n4/2023-10-nextgen/blob/71d055b623b0d027886f1799739b7f785b5bc7cd/smart-contracts/AuctionDemo.sol#L135
https://github.com/code-423n4/2023-10-nextgen/blob/71d055b623b0d027886f1799739b7f785b5bc7cd/smart-contracts/AuctionDemo.sol#L105
Vulnerability details
Impact
There are improper time checks in AuctionDemo.sol. participateToAuction(), cancelBid(), cancelAllBids() in AuctionDemo.sol, use
block.timestamp <= minter.getAuctionEndTime(_tokenid)
to check auction end. But claimAuction() useblock.timestamp >= minter.getAuctionEndTime(_tokenid)
.So when in condition block.timestamp == minter.getAuctionEndTime(_tokenid), The auction is closed at the same time as it is progressing, so all function is callable.
In claimAuction(), refund routine make bidder could call again cancelBid() or cancelAllBids() in fallback(). because there are no routine
auctionInfoData[_tokenid][index].status = false;
So, attacker could request twice for refund.
Here is flow for attack.
Proof of Concept
And here is result of test. And this is the case when attacker get the least amount of money. If attacker call many participateToAuction() and cancelBid() for each, the profit can be maximized.
Tools Used
Manual
Recommended Mitigation Steps
I recommand that the conditions change clearly, In this case, use '>' using
>=
.Here is result of patch.
Assessed type
Timing
The text was updated successfully, but these errors were encountered: