-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
a malicious bidder can always revert claimAuction #1106
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
141345 marked the issue as duplicate of #1632 |
141345 marked the issue as duplicate of #843 |
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1782 |
alex-ppg marked the issue as partial-50 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
claimAuction function would be called whenever an already signed up auction's time has been ended .
by calling the function from owner or an admin the function will first check to see if the configuration are all right and then it would start to
1-transfer the nft to the winner
2-transfer the eth that the owner won in auction to the owner
3-transfer the eth of bid losers back to them
while doing eth transfer in 2 and 3 the function use
.call
method which is good . however one option is not being considered here and that is the gas cost of the call .by using call method the function would call the receiver address . if it is smart contract it will execute its fallback function and if it is not it would only transfer the eth .
a malicious owner or bid loser can deploy a smart contract and pass as the parameter to join in the auction . the smart contract that they would deploy will run an infinity loop that would consume the whole block gas of the call , on that way the call has no way but to revert the whole made call .
using this the claimAuction call would get always reverted when calling that tokenid .
Assessed type
DoS
The text was updated successfully, but these errors were encountered: