Attacker can exploit reentrancy vulnerability to get ownership of auctioned token for free #725
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
Since control is passed to
highestBidder
'sonERC721Received()
inside claimAuction() and there is no reentrancy guard on various public functions likeclaimAuction()
, cancelBid() and cancelAllBids(), an attacker can take part in the auction and get ownership of the token for free.Proof of Concept
Attack steps:
onERC721Received()
inside the attacker contract.onERC721Received()
.He is the owner of the token for free.
Steps to run the PoC code:
forge init --no-git --force
from root folder (2023-10-nextgen/
).2023-10-nextgen/test/t0x1cClaimAuction.t.sol
.forge test --mt test_t0x1cClaimAuction -vv
Tools Used
Foundry.
Recommended Mitigation Steps
Add reentrancy guards on all public/external functions.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: