-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DoS via external call in AuctionDemo.claimAuction() permanently locks all bids on an auction in the contract #913
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 10, 2023
c4-submissions
added a commit
that referenced
this issue
Nov 10, 2023
141345 marked the issue as duplicate of #1632 |
141345 marked the issue as duplicate of #843 |
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1782 |
alex-ppg marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
All bids on the affected auction will be locked in the contract; the NFT will not be transferred to the auction winner.
Proof of Concept
Notice the
claimAuction()
function and inline comment below:Notice that
claimAuction()
usescall()
to transfer ETH to the bidders, and there is no gas limit on the call. As a result, if bidder's address is an attacker-controlled contract, it can execute arbitrary computation in the fallback function such thatclaimAuction()
is guaranteed to out-of-gas revert. The cost to the attacker can be quite low, as they can bid first on the auction for a small/negligible amount.The only way for bidders to be refunded after the auction is over is for
claimAuction()
to be called, so the affected auction's bids will be stuck in the contract forever. Furthermore, the NFT will not be transferred to the winning bidder.Recommended Mitigation
Add a gas limit to the transfer calls. Alternatively, refactor the contract so that
claimAuction()
only transfers the NFT, and bidders must call a separate function to be refunded after the auction ends.Assessed type
DoS
The text was updated successfully, but these errors were encountered: