Users can lose their funds when participating to a claimed Auction #82
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-175
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57-L61
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
Users will lose their funds for ever if they participate to claimed auctions.
Proof of Concept
The admin of the protocole is able to open an auction on a newly minted token by simply calling the
NextGenMinterContract.mintAndAuction()
, this function will mint a new token and send it to the specified address owner. Then, the function will open an auction for that specific token.After that, users can call the
auctionDemo.participateToAuction()
function to participate to a specific token auction by sending ETH and specifying the tokenId.In addition, when the auctionEndTime arrives, the winner (user with the highest bid) will be able to claim his auction by calling the following function:
However, as you can see on both lines 105 and 58, when the
block.timestamp == minter.getAuctionEndTime(_tokenid)
the winner will be able to claim his auction and the other users will still be able to participate in auctions.unfortunately, if the winner claim the auction first, all the users that will participate to that claimed auction will lose their funds for ever because:
claimAuction()
functionauctionClaim[_tokenid]
will be!= false
once the auction is claimed.cancelBid()
function will also revert due torequire(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
Here is a step by step Proof of Concept to reproduce this vulnerability:
Tools Used
Manual
Recommended Mitigation Steps
There is two ways to solve this issue:
block.timestamp < minter.getAuctionEndTime(_tokenid)
auctionClaim[_tokenid] == false
check to the participaterequire()
callAssessed type
Other
The text was updated successfully, but these errors were encountered: