search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

Lack of Sniping protection could make an attacker outbid the current highest bidder in the last possible moment. #1146

Closed c4-submissions closed 10 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L57-L61 https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L57-L61

Vulnerability details

Impact

Current winner of the bid could lose the bid in the last possible moment. The goal of sniping is often to catch other participants off guard and secure the winning bid for the valuable NFTs.

Proof of Concept

Snipping refers to the practice of placing a bid at the last possible moment in an attempt to win an auction just before it closes. The participateToAuction(...) function does not have any snipping protection implemented.

function participateToAuction(uint256 _tokenid) public payable {
        require(msg.value > returnHighestBid(_tokenid) && block.timestamp <= minter.getAuctionEndTime(_tokenid) && minter.getAuctionStatus(_tokenid) == true);
        auctionInfoStru memory newBid = auctionInfoStru(msg.sender, msg.value, true);
        auctionInfoData[_tokenid].push(newBid);
    }

Tools Used

Vs code

Recommended Mitigation Steps

To implement sniping protection in an auction smart contract, developers may incorporate various features or strategies. Here are a few common approaches:

Extended Bidding Period:

One simple way to counter sniping is to extend the auction's closing time whenever a new bid is placed close to the original closing time. This gives other participants additional time to respond with higher bids.

Bid Increments:

Implementing bid increment rules ensures that the next bid must exceed the current highest bid by a predefined increment. This makes it more difficult for snipers to place bids at the last moment since they would need to exceed the current highest bid by a larger amount.

Reveal Periods:

Introduce a "reveal period" after the auction ends but before the final winner is determined. During this period, participants can reveal any secret bids they placed. This prevents snipers from waiting until the last moment to reveal high bids.

Randomized Ending Times:

Randomizing the ending time of the auction within a certain window can make it more challenging for snipers to predict the exact moment to place their bids.

Assessed type

Timing

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #962

c4-judge commented 10 months ago

alex-ppg marked the issue as not a duplicate

c4-judge commented 10 months ago

alex-ppg marked the issue as duplicate of #1784

c4-judge commented 10 months ago

alex-ppg marked the issue as duplicate of #1323

c4-judge commented 10 months ago

alex-ppg marked the issue as partial-25

c4-judge commented 10 months ago

alex-ppg marked the issue as satisfactory

c4-judge commented 10 months ago

alex-ppg marked the issue as partial-25