User can win the auction or ddos it, thanks to the cancel bid function

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130

Vulnerability details

Impact

The user can win the auction by spending a small amount to do so. Or it may block the auction.
This is because you can cancel your bet. Even if the user has only one.

Proof of Concept

Case: The user wins the auction by spending a small amount on it.

1. As soon as the auction begins, the user places a bid for a small amount. And in the same transaction, the next call is to bet on a very large amount, which is unlikely to be outbid by anyone.
2. Before the end of the auction, the user calls the cancel bid function and cancels his bid for a large amount
3. The user becomes the winner of the auction since no one else was able to participate in it. And most importantly, he receives NFT for the amount of the first bet - for a small amount.

Case: The user blocks the auction

1. When the auction begins, the user places a bid for a very large amount, which is unlikely to be outbid by anyone
2. Waits for the end of the auction, and just before the end, sends a request to cancel his bid. The auction ends and as a result, no one bought NFT due to user actions

Tools Used

Manual review

Recommended Mitigation Steps

Allow to users cancel their bids, if they have at least 2 active bids.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #962

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1784

[c4-judge]

alex-ppg marked the issue as duplicate of #1323

[c4-judge]

alex-ppg marked the issue as partial-25

[c4-judge]

alex-ppg marked the issue as satisfactory

[c4-judge]

alex-ppg marked the issue as partial-25

[c4-judge]

alex-ppg changed the severity to 3 (High Risk)