Malicious bidder can DOS the claimAuction function

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L112

Vulnerability details

Impact

The winner of the auction can render the claimAuction function useless for a particular ID by bidding through a smart contract and not adding the onERC721Received callback hook. This callback is called by the NFT contract to ensure that the smart contract is capable of receiving and transferring the NFT. The malicious bidder will lose funds for a particular auction, and other bidders will not receive refunds because the function will revert each time.

Proof of Concept

Consider the following scenario with participants Alice and Bob in the auction:

A) Alice bids 1 ETH for tokenId = 2.
B) Other bidders participate in the auction for the same tokenId.
C) Bob places the highest bid (for tokenId = 2) and becomes the winner of the auction after it ends. However, he bid using a smart contract that did not implement the onERC721Received callback hook, either intentionally or unintentionally.
D) If the winner or admin calls the claimAuction function for the same tokenId, IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenId); will revert. This is because the callback checks whether the recipient contract is capable of receiving ERC721, but in this case, it is not, resulting in a revert.

Link to relevant code - Line 112

Tools Used

VSCode

Recommended Mitigation Steps

Use transferFrom instead of safeTransferFrom.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #486

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1759

[c4-judge]

alex-ppg marked the issue as partial-50

[c4-judge]

alex-ppg changed the severity to 2 (Med Risk)