Reentrancy on AuctionDemo
allows an attacker to win the auction for free
#370
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L105
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L125
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L135
Vulnerability details
Impact
An attacker can submit the highest bid in the auction, win the auction and get both the NFT and the ether bidded back, essentially winning the auction for free.
Context
If
block.timestamp == auctionEndTime
, then all fourparticipateToAuction
,claimAuction
,cancelBid
andcancelAllBids
can be called by a user in theAuctionDemo
contract:AuctionDemo::participateToAuction
AuctionDemo::claimAuction
AuctionDemo::cancelBid and AuctionDemo::cancelAllBids
Proof of Concept
Let’s suppose there are two auctions running:
auction0
andauction1
.auction1
finishes afterauction0
.auction0
end time arrives, Charlie submits the attack.auction0
getting back the money he bidded, andauction1
becomes insolvent.Here’s part of the contract the attacker can use to execute the attack:
Complete test file and attacker contract: https://gist.github.com/EperezOk/d24154562d15c8530846f7b4e90ace48
Tools Used
Manual review and Foundry.
Recommended Mitigation Steps
Don’t allow
claimAuction
to be called in the same block as the rest of the functions in theAuctionDemo
contract:Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: