AuctionDemo.claimAuction, AuctionDemo.cancelBid, AuctionDemo.cancelAllBids can be called at the same time when block.timestamp == minter.getAuctionEndTime(_tokenid) #1374
AuctionDemo.claimAuction, AuctionDemo.cancelBid, AuctionDemo.cancelAllBids can be called at the same time when block.timestamp == minter.getAuctionEndTime(_tokenid)
Impact
The implementation of the methods AuctionDemo.claimAuction and AuctionDemo.cancelAllBids, AuctionDemo.cancelBid allows you to call these methods at the moment when: block.timestamp == minter.getAuctionEndTime(_tokenid) within the same call, or in any order, which causes a lot of problems and losses, namely:
Theft of funds from the auction, since cancelBid & cancelAllBids can be called during AuctionDemo.claimAuction
during the transmission of unwinning bids, or after in the same block, since claimAuction does not change their state, they remain active, which causes the successful passage of cancelBid & cancelAllBids and another payment to the user of his bid. This leads to the possibility of withdrawing funds from the contract
The winner of the auction can invalidate the auction by withdrawing his bid via receive() and cancelBid during claimAuction
the winner can set a trigger on their first bid that will cause a cancelBid on the winning bid of the auction, which will cause the block with the transfer of the NFT to fail and the funds not to be issued to the NFT holder. This will invalidate the auction.
Dependency for realizing these problems: block.timestamp == minter.getAuctionEndTime(_tokenid) block time must be equal to the auction end time
Since they have a common cause in the implementation, fixing which makes them invalid, they were combined as an impact due to the same problem in the code## Proof of Concept
The main problem is the ability to call methods within the same block/transaction. Since the conditions have a common state block.timestamp == minter.getAuctionEndTime(_tokenid), in which these methods can be called within the same block/transaction
You need to remove the common point in the condition that allows you to call transactions within the same block, this will lead to the impossibility of higher cases
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L135
Vulnerability details
AuctionDemo.claimAuction
,AuctionDemo.cancelBid
,AuctionDemo.cancelAllBids
can be called at the same time whenblock.timestamp == minter.getAuctionEndTime(_tokenid)
Impact
The implementation of the methods
AuctionDemo.claimAuction
andAuctionDemo.cancelAllBids
,AuctionDemo.cancelBid
allows you to call these methods at the moment when:block.timestamp == minter.getAuctionEndTime(_tokenid)
within the same call, or in any order, which causes a lot of problems and losses, namely:cancelBid & cancelAllBids
can be called duringAuctionDemo.claimAuction
during the transmission of unwinning bids, or after in the same block, since claimAuction does not change their state, they remain active, which causes the successful passage ofcancelBid & cancelAllBids
and another payment to the user of his bid. This leads to the possibility of withdrawing funds from the contractclaimAuction
the winner can set a trigger on their first bid that will cause a cancelBid on the winning bid of the auction, which will cause the block with the transfer of the NFT to fail and the funds not to be issued to the NFT holder. This will invalidate the auction.Dependency for realizing these problems:
block.timestamp == minter.getAuctionEndTime(_tokenid)
block time must be equal to the auction end timeSince they have a common cause in the implementation, fixing which makes them invalid, they were combined as an impact due to the same problem in the code## Proof of Concept
Links
Description
The main problem is the ability to call methods within the same block/transaction. Since the conditions have a common state
block.timestamp == minter.getAuctionEndTime(_tokenid)
, in which these methods can be called within the same block/transactionThe following tests show the extraction of other people's funds and the disability of the auction:
Tools Used
Recommended Mitigation Steps
You need to remove the common point in the condition that allows you to call transactions within the same block, this will lead to the impossibility of higher cases
Assessed type
Invalid Validation