The winner of the auction could DOS the claimAuction function resulting in loss of fund of anyone who participated #859
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
Impact
Note: 1. this requires the attacker to lose his highest bid and lose out on the NFT 2. unlike the bot report this is not due to the loop DOS.
When the auction is over,
claimAuction()
loops over the bids and either 1. sends the NFT to the highest bidder and 2. returns the bids to the participants.However, if the highest bidder reverts the transfer on purpose, no one will be able to get their bids value back. This is due to the fact that when calling the function, it will loop over all bids and eventually end up in the transfer call.
Proof of Concept
claimAuction()
, it will always revertTools Used
Manual review
Recommended Mitigation Steps
There are two ways to handle this.
If the try attempt fails, save the values (bid amount and bidder) into a mapping and provide an additional function to retrieve those funds at a later time.
claimAuction()
without the modifier and where the transfer only occurs ifmsg.sender == auctionInfoData[_tokenid][i].bidder
Assessed type
DoS
The text was updated successfully, but these errors were encountered: