Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The winner can DoS the auction and stuck the NFT and users funds in the contract #63

Closed
c4-submissions opened this issue Nov 1, 2023 · 6 comments
Closed

The winner can DoS the auction and stuck the NFT and users funds in the contract #63

c4-submissions opened this issue Nov 1, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-739 edited-by-warden partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Nov 1, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120

Vulnerability details

Impact

Winners will be able to DoS auctions and lock both their NFTs and all of the funds of other bidders. This issue arises because AuctionDemo's claimAuction uses push instead of a pull.

The winner does not need to be a user, it can also be a competitive entity. A competitor against the collection or against NextGen.

Proof of Concept

Once the auction has ended, the winner can invoke claimAuction. And to revert on his _checkOnERC721Received.

The core issue is in this if if, within this for loop, where, if the current bidder is not the winner, their funds are refunded.

for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) {
    ...
    } else if (auctionInfoData[_tokenid][i].status == true) {
        (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
        emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid);
    } else {}
}

Example:

  1. NFT is scheduled for auction with start of 0.01ETH
  2. 50 more bidders bid - 0.011, 0.015... 0.29.
  3. Attacker bids last - 0.3ETH (1 wei higher than the bid before him) using a contract that reverts when it receives the NFT.
  4. Auction ends.
  5. claimAuction reverts as the call made to the attacker contract reverts.

Attacker loses some ETH, however 50 bidders lose their bids (the last one is the same as the attaker) and the NFT will remain stuck in the contract.

Tools Used

Manual review

Recommended Mitigation Steps

Utilize the pull method instead of the push method. This can be achieved by creating another function that allows users to manually withdraw their funds after the auction concludes.

Assessed type

DoS
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 1, 2023
c4-submissions added a commit that referenced this issue Nov 1, 2023
@c4-submissions
0x3b issue #63
ee5e1d5
@code4rena-admin code4rena-admin changed the title A bidder can DoS the auction and stuck the NFT and users funds in the contract The winner can DoS the auction and stuck the NFT and users funds in the contract Nov 2, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #843

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #486

@c4-judge
Copy link

c4-judge commented Dec 5, 2023

alex-ppg marked the issue as not a duplicate

@c4-judge c4-judge reopened this Dec 5, 2023
@c4-judge
Copy link

c4-judge commented Dec 5, 2023

alex-ppg marked the issue as duplicate of #739

@c4-judge c4-judge closed this as completed Dec 5, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 8, 2023
@c4-judge
Copy link

c4-judge commented Dec 9, 2023

alex-ppg changed the severity to 2 (Med Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-739 edited-by-warden partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @c4-submissions @code4rena-admin