Winner and bidders can double refunds their bids #66
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L125
Vulnerability details
Impact
Due to claimAuction and cancelBid both using
=
in their time equations, bidders will be able to double refunds their bids.Proof of Concept
The winner is able to claim the auction at it's exact auction end time.
However bidders are also able to cancel their bids at exact auction end time.
This means that the winner can claim, and him or some bidder to double refunds their bids. This is done by first using the refund in claimAuction and then canceling his bid with cancelBid.
A few example scenarios occur, where in order to do this you must have some failed (not winning) bids:
The winner can make multiple bids and either re-enter here after every not winning bid and refund it, or simply schedule in one TX claimAuction and cancelBid on all his not winning bids.
Users can re-enter their failed bids and refunds them.
Seller of the NFT can re-enter and claim his failed bids.
Users can back-run the claimAuction call, and as long as they are with the same timestamp they will be able to cancelBid.
Tools Used
Manual review
Recommended Mitigation Steps
Even if the re-entracy is fixed the winner would still be able to schedule claimAuction and cancelBid in one TX and double refund his other bids. The main issue is
<=
which needs to be made<
in cancelBid.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: