Frontrunning the highest winning bid and having users funds permanently blocked can happen by bidding in the same block as the wining claim #92
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-175
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L57-L58
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L105
Vulnerability details
Summary
Biding in an auction (via
auctionDemo::participateToAuction
) and claiming the NFT at the end of an auction (viaauctionDemo::claimAuction
) can be called in the same block. This introduces 2 major issues:claimAuction
with his ownparticipateToAuction
(or simply callparticipateToAuction
directly it nobody calledclaimAuction
) and win simply by adding 1 WEI over the previous las winning bid, then himself callclaimAuction
in the same block and retrieve the NFT. Thus winning the NFT auction by 1 WEI.claimAuction
is called but his transaction is after theclaimAuction
, it will not revert and he will lose his funds forever since after that block, the cancel bids functions will not work any moreVulnerability Details
After an auction has started users can bid using
auctionDemo::participateToAuction
and when the auction is finished, the winner or admin can callauctionDemo::claimAuction
to refund non-winners and send the NFT to the winner.auctionDemo::participateToAuction
andauctionDemo::claimAuction
can be called in the same block because:participateToAuction
checks:block.timestamp <= minter.getAuctionEndTime(_tokenid)
claimAuction
checks:block.timestamp >= minter.getAuctionEndTime(_tokenid)
thus in the moment
block.timestamp == minter.getAuctionEndTime(_tokenid)
both can be called.cancelAllBids
andcancelBid
also check as soblock.timestamp <= minter.getAuctionEndTime(_tokenid)
, to note they will not be callable after the end time has passed, making bids after theclaimAuction
Impact
NFT winning bid may be frontrun and surpassed with 1 WEI and users may have ETH forever blocked in the contract.
Tools Used
Manual review
Recommendations
Do not allow
participateToAuction
andclaimAuction
to be called at the same time.Assessed type
Timing
The text was updated successfully, but these errors were encountered: