Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If the contract of the malicious ownerOfToken refuses to receive payment, the assets of the highest bidder will be frozen. #1070

Closed
c4-submissions opened this issue Nov 11, 2023 · 5 comments
Closed

If the contract of the malicious ownerOfToken refuses to receive payment, the assets of the highest bidder will be frozen. #1070

c4-submissions opened this issue Nov 11, 2023 · 5 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Nov 11, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L113-L117

Vulnerability details

Impact

If ownerOfToken is a malicious contract, this will cause the return value of the call to be false, and the return value is not checked. The following code will continue to execute. The user with the highest bid will never be able to claim Auction, but the funds of other users will be returned.

Proof of Concept

Suppose A is an address (contract address) that was minted. At this time, ownerOfToken is a malicious address. As long as a revert code is written in the contract to refuse payment, if this NFT is auctioned, the payment with the highest price will be rejected, but other users' All bids will be returned. Even the administrator cannot solve this problem because the malicious contract will always revert.

The address of the malicious token owner
contract Attack {
    //.........other functions

    receive() external payable {
        revert();
    }
}

Tools Used

Manual review

Recommended Mitigation Steps

Checks the return value of the call. If it false(i.e., a malicious contract is detected: the holder of the malicious NFT), the next step of code execution is not performed.
The purpose of this is to prevent the user with the highest bid from continuing to execute the code logic below for refunds for other users after their payment is rejected by the malicious contract.

require(success, "Transfer failed");

It is also necessary to completely delete the NFT of this malicious contract.
Code reference:👇
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/ERC721Enumerable.sol#L116

Assessed type

DoS
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 11, 2023
c4-submissions added a commit that referenced this issue Nov 11, 2023
@c4-submissions
xiao issue #1070
9eda7dc
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #843

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #486

@c4-judge c4-judge reopened this Dec 1, 2023
@c4-judge
Copy link

c4-judge commented Dec 1, 2023

alex-ppg marked the issue as not a duplicate

@alex-ppg
Copy link

alex-ppg commented Dec 6, 2023

The Warden specifies that a malicious owner of the token can revert when they receive native funds which is inconsequential as the native transfer is unchecked in the referenced code block.

@c4-judge c4-judge closed this as completed Dec 6, 2023
@c4-judge
Copy link

c4-judge commented Dec 6, 2023

alex-ppg marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-ppg @c4-judge @c4-pre-sort @c4-submissions @code4rena-admin