AuctionDemo#claimAuction is permanently DoSed if highest bidder is a contract that does not implement onERC721Received
#1759
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-739
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
|
141345 marked the issue as duplicate of #486 |
|
alex-ppg marked the issue as not a duplicate |
|
alex-ppg marked the issue as primary issue |
c4-judge
added
the
primary issue
This was referenced Dec 1, 2023
Closed
This was referenced Dec 1, 2023
Auction winner can refuse to receive collection token results in other users' funds being stuck
#642
Closed
Closed
Closed
c4-judge
added
duplicate-739
and removed
primary issue
|
alex-ppg marked issue #739 as primary and marked this issue as a duplicate of 739 |
c4-judge
added
the
satisfactory
|
alex-ppg marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
Impact
If the winner of an auction is a smart contract that does not implement
onERC721Received, or if it is implemented but leads to a revert (which could be done unintentionally or maliciously) then the NFT, as well as the funds of all active bids will be trapped in the contract indefinitely.Proof of Concept
AuctionDemo#claimAuctionuses ERC721'ssafeTransferFromto transfer the auctioned NFT from the current owner to the winning bidder. This function checks whether the receiver is a smart contract and if it is, attempts to callonERC721Received.This scenario would lead to a complete DoS of
claimAuction. Since it is the only function that is capable of sending the NFT and the ETH of the bidders from the contract, those funds would all be trapped in the contract.safeTransferFromcallhighestBidderwith a different address that is capable of receiving the NFTcancelBidorcancelAllBidsto retrieve their ETH because they revert if the auction is completedRecommended Mitigation Steps
Use
transferinstead ofsafeTransfer. Although an auction winner that does not implementonERC721Receivedmay not be able to access their NFT, they wouldn't have been able to receive it anyway ifsafeTransferwas used, and this way losing bidders still get their ETH back.function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){ require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true); auctionClaim[_tokenid] = true; uint256 highestBid = returnHighestBid(_tokenid); address ownerOfToken = IERC721(gencore).ownerOf(_tokenid); address highestBidder = returnHighestBidder(_tokenid); for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) { if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) { - IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid); + IERC721(gencore).transferFrom(ownerOfToken, highestBidder, _tokenid); (bool success, ) = payable(owner()).call{value: highestBid}(""); emit ClaimAuction(owner(), _tokenid, success, highestBid); } else if (auctionInfoData[_tokenid][i].status == true) { (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}(""); emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid); } else {} }Assessed type
ERC721
The text was updated successfully, but these errors were encountered: