Auction winner can claim token and cancel bid at the same time #635
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105
Vulnerability details
Impact
Auction winner can claim token and cancel bid at the
AuctionEndTime
, user gets a free token and protocol suffers a loss.Proof of Concept
User can claim token at the end of an auction:
And user can also cancel bid at the end of an auction:
So if
block.timestamp
is equal toAuctionEndTime
, a winner can claim token and then cancel his bid at the same time. Winner gets a free token and protocol suffers a loss.Tools Used
Manual Review
Recommended Mitigation Steps
Token should only be claimed after auction ends.
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: