-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
will result in a lockup of funds for the entire contract #61
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1785
edited-by-warden
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
141345 marked the issue as duplicate of #1632 |
141345 marked the issue as duplicate of #843 |
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1785 |
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1785
edited-by-warden
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Impact
This vulnerability will cause the funds of the contract to be locked up
Proof of Concept
An attacker can use the attack contract to participate in the bidding by ensuring that the attack contract enters a little bit of money into the bidding, and then writing receive() in the attack contract and revert() in that function to ensure that the attack contract can't accept an Ether transfer.
Since the claimAuction function sends bidders' funds in batches after the auction, if one of them refuses, it will cause the entire transaction to be rolled back, locking the funds in the contract.
Tools Used
foundry
Recommended Mitigation Steps
Disable contract calls
Assessed type
DoS
The text was updated successfully, but these errors were encountered: