If auction winner doesn't accept the NFT, bidders won't get refunded #793
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-739
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/08a56bacd286ee52433670f3bb73a0e4a4525dd4/smart-contracts/AuctionDemo.sol#L111
Vulnerability details
Impact
If the winning bidder bids through a contract,
safeTransferFrom
will revert if the bidder contract doesn't have anonERC721Received
function or doesn't respond with the correct selector. In this case, the previous bidders won't receive a refund and the owner won't receive the highestBid => ETH stuck in contract111
It is unlikely that this will be used as an attack vector, because the winner would also lose his bid(s) and not receive the auctioned token, but it could happen accidentally.
Proof Of Concept
Tools Used
Foundry
Recommended Mitigation steps
A parameter
_transferTo
could be added to theclaimAuction
function, so that if the winner doesn't accept the token, the auction can still be ended by the winner / functionAdmin / globalAdmin and the token be sent to a alternative address.A second possibility is to check if the correct value is returned before a bid can be placed, if the bidder is a contract.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: