Closed c4-submissions closed 9 months ago
141345 marked the issue as duplicate of #1632
141345 marked the issue as duplicate of #843
141345 marked the issue as duplicate of #486
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as duplicate of #2006
alex-ppg marked the issue as selected for report
The Warden specifies that, after remediation for a bot finding is applied, the recipients of bid refunds could hijack the call chain of the claimAuction
function to revert
.
Firstly, this submission falls under the Speculation on Future Code Supreme Court Verdict whereby they attempt to justify why the Sponsor would make the necessary code change for native transfers that would result in this vulnerability. Specifically, they attempt to justify that remediation for M-01 would result in the vulnerability manifesting.
The Supreme Court ruling specifically states that the root cause should be present in the code already. As the Warden relies on an assumption of potential remediation rather than future code that inherits from/integrates with the existing in-scope codebase, I consider this exhibit to be out-of-scope.
To note, some duplicates of this issue simply refer to revert
being sufficient in the current implementation for causing the DoS which is invalid, as the success
boolean is not evaluated in any shape or form meaning that a revert
operation would be ignored and the code would successfully continue its execution.
alex-ppg marked the issue as unsatisfactory: Out of scope
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Summary :
When auction starts for a
_tokenid
, as the first bidder or by frontrunning the first bidder malicious user will callparticipateToAuction
function ofAuctionDemo.sol
and he can become the first bidder by passing somewei
as bid. After the auction ended winner/admin will call theclaimAuction
function. But if malicious bidder doesn't want to receive his ethers because he just passed some wei then he can revert from his contract's receive() function. AndclaimAuction
call will fail every time for this_tokenid
and claimAuction will be inDenial of Service
mode. All the funds of other bidder will be stuck and NFT will not also be transferred to highest bidder.Vulnerability Details and POC :
participateToAuction
function when auction starts for a_tokenid
. Because next bid amount need to be greater than previous highest bid amount, so malicious user will enter as first bidder or frontrun the first bidder so that he can enter first with just some dust amount because for first bidder previous highest amount will be 0.hardhat/smart-contracts/AuctionDemo.sol#L57-L61
Winner/Admin
will callclaimAuction
function. This function should transfer the NFT to highest bidder and to all other bidder their bid amounts. But whenclaimAuction
will try to transfer bid amounts ether (line 116 in below code) to malicious user. His malicious contract will revert and will not accept the ether. Due to which whole transaction will revert andclaimAuction
will be in DoS mode.Note : Here at line 116 after low level call return value not checked. It itself is an issue but it is founded in bot report. So by adding that consideration(require(success,"Transfer Failed");) it will be in DoS mode. In current code it won't revert but if malicious user want to revert anyway. He can consume all the gas and due to out gas the whole transaction can still revert.
hardhat/smart-contracts/AuctionDemo.sol##L104-L120
Auction.sol
who bid to purchase that_tokenid
NFT. Their is no emergency withdraw function to withdraw ethers if auction ends and claimAuction in DoS mode. User will not be able to cancel bids when auction ends.Malicious bidder Contract
Note : Their is DoS in bot report also for this function also but thier root cause is completely different, That was due to array out of bounds but here the root cause is completely different
Impact :
All the funds of all the bidders will be stuck in
Auction.sol
who bid to purchase that_tokenid
NFT. if auction ends and claimAuction in DoS mode no way to withdraw ethers of bidders who bid to purchase that_tokenid
. User will not be able to cancel bids also when auction ends.Tools Used :
Manual Review
Recommended Mitigation :
Assessed type
DoS