createBid() allows for bid creation while the Auction is paused. As the latter happens on a system error (mint failure), this can allow an attacker to interacts with the malfunctioning system.
This at least can lead to misallocation of user's funds, i.e. freezing the bid while there is no chance to get the token as mint doesn't work.
Proof of Concept
createBid() allows for funds deposit while the Auction is in malfunction state:
/// @notice Creates a bid for the current token
/// @param _tokenId The ERC-721 token id
function createBid(uint256 _tokenId) external payable nonReentrant {
// Get a copy of the current auction
Auction memory _auction = auction;
/// @notice Creates a bid for the current token
/// @param _tokenId The ERC-721 token id
- function createBid(uint256 _tokenId) external payable nonReentrant {
+ function createBid(uint256 _tokenId) external payable whenNotPaused nonReentrant {
// Get a copy of the current auction
Auction memory _auction = auction;
GalloDaSballo
commented
1 year ago
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L88-L92
Vulnerability details
createBid() allows for bid creation while the Auction is paused. As the latter happens on a system error (mint failure), this can allow an attacker to interacts with the malfunctioning system.
This at least can lead to misallocation of user's funds, i.e. freezing the bid while there is no chance to get the token as mint doesn't work.
Proof of Concept
createBid() allows for funds deposit while the Auction is in malfunction state:
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L88-L92
Recommended Mitigation Steps
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L88-L92