claimAuction can be DoS'ed or abuse for gas-mining

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104

Vulnerability details

Impact

claimAuction is called when auction ends by the highest bidder or admins (checked inside WinnerOrAdminRequired modifier). The caller pays for gas to refund everyone who was out-bid and to transfer NFT to the highest bidder. An attacker can DoS this function by creating multiple small bids from contract with recieve-fallback function to mine gas.

Description

For each user that needs to be refunded a call with value is made. Bids can be placed by contracts, and their receive-fallback can execute arbitrary code, including gas-mining operations.

This is a common anti-pattern when implementing auctions, described in SWC-128, more comprehensive example of "auction-like" contract with the same issue described here: https://consensys.github.io/smart-contract-best-practices/development-recommendations/general/external-calls/#favor-pull-over-push-for-external-calls.

This issue is different from issue found in bot report [H-01] Permanent DoS due to non-shrinking array usage in an unbounded loop: we show that refunding inside claim function is a bad practice and might also lead to DoS.

Tools Used

Manual analysis + bot report

Recommended Mitigation Steps

Use pull model for returning auction bids.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #1632

[c4-pre-sort]

141345 marked the issue as duplicate of #843

[c4-pre-sort]

141345 marked the issue as duplicate of #486

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #734

[c4-judge]

alex-ppg marked the issue as partial-50

[c4-judge]

alex-ppg changed the severity to 3 (High Risk)