Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If the safeTransferFrom call inside the AuctionDemo::claimAuction function reverts for any reason, all funds will be stuck within the contract, possibly forever #1267

Closed
c4-submissions opened this issue Nov 12, 2023 · 6 comments
Closed

If the safeTransferFrom call inside the AuctionDemo::claimAuction function reverts for any reason, all funds will be stuck within the contract, possibly forever #1267

c4-submissions opened this issue Nov 12, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-739 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L112

Vulnerability details

Impact

All non-winning user bids won't be able to be refunded and the contract owner won't be able to receive the ETH from the winning bid

Proof of Concept

The safeTransferFrom call that is being made in the AuctionDemo::claimAuction function, in order to send the auction winner their NFT, can revert, both intentionally and unintentionally. For example, it can revert if the receiver address does not implement the IERC721Receiver interface, or it can also revert if the onERC721Received function that is called within safeTransferFrom reverts. If some of those scenarios take place, the claimAuction function will be DoSed, possibly forever, depending on the root cause of the revert.

To help visualise the problem further, let's take a step-by-step example of how it can occur unintentionally:

  1. A new auction starts
  2. Users start placing bids back and forth
  3. The auction comes to an end
  4. The auction winner calls the claimAuction function in order to claim the NFT that they just won
  5. Unfortunately for all auction participants though though, since the winner does not implement the IERC721Receiver interface, his transaction gets reverted. And it will keep on reverting no matter what the he does and how many times the function gets called. All of the auction funds are now stuck within the contract forever.

Tools Used

Manual Review

Recommended Mitigation Steps

Extract the safeTransferFrom call into a separate function.

Assessed type

DoS
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 12, 2023
c4-submissions added a commit that referenced this issue Nov 12, 2023
@c4-submissions
Arabadzhiev issue #1267
1398867
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #486

@c4-pre-sort c4-pre-sort added duplicate-486 high quality report This report is of especially high quality labels Nov 20, 2023
@c4-pre-sort
Copy link

141345 marked the issue as high quality report

@c4-pre-sort c4-pre-sort removed the high quality report This report is of especially high quality label Nov 20, 2023
@c4-pre-sort
Copy link

141345 marked the issue as remove high or low quality report

@c4-judge c4-judge reopened this Dec 1, 2023
@c4-judge
Copy link

c4-judge commented Dec 1, 2023

alex-ppg marked the issue as not a duplicate

@c4-judge c4-judge closed this as completed Dec 1, 2023
@c4-judge
Copy link

c4-judge commented Dec 1, 2023

alex-ppg marked the issue as duplicate of #1759

@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-50

@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-739 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-submissions