Malicious bidder can cause a DOS in claimAuction by rejecting ETH transfer

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120

Vulnerability details

Impact

The claimAuction function, responsible for claiming the won NFT, attempts to refund all previous bidders' ETH bid amounts. This design introduces a potential Denial-of-Service (DOS) risk. If a previous bidder, acting maliciously, rejects the ETH transfer (by always reverting in the receive function), the entire claiming process fails. This leaves the auction winner and the admin unable to claim the NFT, and it also prevents other bidders from retrieving their funds. As claimAuction is the sole method for refunding bids after an auction concludes, the entire process becomes blocked.

Proof of Concept

The issue occurs in claimAuction function below :

function claimAuction(
    uint256 _tokenid
) public WinnerOrAdminRequired(_tokenid, this.claimAuction.selector) {
    require(
        block.timestamp >= minter.getAuctionEndTime(_tokenid) &&
            auctionClaim[_tokenid] == false &&
            minter.getAuctionStatus(_tokenid) == true
    );
    auctionClaim[_tokenid] = true;
    uint256 highestBid = returnHighestBid(_tokenid);
    address ownerOfToken = IERC721(gencore).ownerOf(_tokenid);
    address highestBidder = returnHighestBidder(_tokenid);
    for (uint256 i = 0; i < auctionInfoData[_tokenid].length; i++) {
        if (
            auctionInfoData[_tokenid][i].bidder == highestBidder &&
            auctionInfoData[_tokenid][i].bid == highestBid &&
            auctionInfoData[_tokenid][i].status == true
        ) {
            IERC721(gencore).safeTransferFrom(
                ownerOfToken,
                highestBidder,
                _tokenid
            );
            (bool success, ) = payable(owner()).call{value: highestBid}("");
            emit ClaimAuction(owner(), _tokenid, success, highestBid);
        } else if (auctionInfoData[_tokenid][i].status == true) {
            //@audit can be DOS if bidder doesn't accept ETH
            (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder)
                .call{value: auctionInfoData[_tokenid][i].bid}("");
            emit Refund(
                auctionInfoData[_tokenid][i].bidder,
                _tokenid,
                success,
                highestBid
            );
        } else {}
    }
}

The function iterates through all auction bids, transferring the NFT to the highest bidder and attempting to refund previous bidders. If a malicious bidder uses a contract to participate in the auction with a receive function that does always revert on ETH transfer, the claimAuction function will consistently revert, causing a DOS scenario.

The DOS vulnerability prevents the auction winner and admin from claiming the NFT and block previous bidders from retrieving their bid funds. As cancelBid and cancelAllBids are disabled after an auction ends (because of the check block.timestamp <= minter.getAuctionEndTime(_tokenid)), and claimAuction is the sole refund mechanism, all previous bidders' funds become inaccessible and will be be stuck in the contract.

Tools Used

Manual review

Recommended Mitigation Steps

To avoid these issue i recommend to use the claimAuction function only for claiming the NFT for the highest bidder and allowing all other bidders to withdraw their bids using either cancelBid or cancelAllBids.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #1632

[c4-pre-sort]

141345 marked the issue as duplicate of #843

[c4-pre-sort]

141345 marked the issue as duplicate of #486

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #2006

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Out of scope

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Out of scope