When returnHighestBidder is called. To find highest bidder for _tokenid loop runs on auctionInfoStru[] array for that _tokenid. But in for loop one line is missing to update highBid o each iteration. Because of it highBid remains 0 for all loop iterations. And each bid value will show higher than highBid so it will return last positive bid's bidder which status is true rather than returning highest bid bidder.
Vulnerability Details
In this function's for loop highBid updating line is missing so it will remain 0 for all iterations. Because of it this function will not return highest bid bidder. Since each time condition auctionInfoData[_tokenid][i].bid > highBid will be true even if bid is very little. And index will be updated even if it bid is lesser than previous with true status. it will update the index even if bid is lesser than previous it just should be above 0 with true status and index will be updated. Resulting in wrong bidder returning for that index.
87: function returnHighestBidder(uint256 _tokenid) public view returns (address) {
uint256 highBid = 0;
uint256 index;
for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) {
91: if (auctionInfoData[_tokenid][i].bid > highBid && auctionInfoData[_tokenid][i].status == true) {
92: index = i;
//@audit highBid = auctionInfoData[_tokenid][i].bid line is missing in this loop so highBid always remains 0
93: }
}
if (auctionInfoData[_tokenid][index].status == true) {
return auctionInfoData[_tokenid][index].bidder;
} else {
revert("No Active Bidder");
}
}
Impact
Due to returning wrong bidder. Bidder will not match with the highest bid because returnHighestBid function is working fine and returning highest bid amount. returnHighestBidder returning wrong bidder. Due to this mismatch claimAuction can never transfer NFT to highest bidder. Also the bid value for all these bidders will be transferred to them. It makes the whole AuctionDemo.sol contract useless.
In claimAuction function if highestBid is correct and highestBidder is wrong than both will mismatches. And due to this both won't be found simultaneously at same index.
Then highestBid will be of different bidder. And current bidder's bid is not highest due to this mismatch , both condition at line 111 in if(auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid will never be simultaneously true at same index resulting in that if condition at line 111 will always be false.
They both will be from different index in array. To pass this condition both should be on same index. For that both highestBid and highestBidder should be correct which is not correct currently.
So it will trigger only second else if(){} block(line 115) of this function and all the ethers of all the bidders including highest bidder will be transferred to the bidders addresses. And makes the whole Auction.Demo contract useless.
Add the missing line into returnHighestBidder function so that it can return right highest bidder. And so it can match with it's highest bid and work fine as intended.
File: hardhat/smart-contracts/AuctionDemo.sol##L104-L120
87: function returnHighestBidder(uint256 _tokenid) public view returns (address) {
uint256 highBid = 0;
uint256 index;
for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) {
91: if (auctionInfoData[_tokenid][i].bid > highBid && auctionInfoData[_tokenid][i].status == true) {
+ highBid = auctionInfoData[_tokenid][i].bid;
92: index = i;
93: }
}
if (auctionInfoData[_tokenid][index].status == true) {
return auctionInfoData[_tokenid][index].bidder;
} else {
revert("No Active Bidder");
}
}
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L87-L100
Vulnerability details
Summary
When
returnHighestBidder
is called. To find highest bidder for_tokenid
loop runs onauctionInfoStru[]
array for that_tokenid
. But in for loop one line is missing to updatehighBid
o each iteration. Because of ithighBid
remains 0 for all loop iterations. And each bid value will show higher than highBid so it will return last positive bid's bidder which status is true rather than returning highest bid bidder.Vulnerability Details
In this function's for loop highBid updating line is missing so it will remain 0 for all iterations. Because of it this function will not return highest bid bidder. Since each time condition
auctionInfoData[_tokenid][i].bid > highBid
will be true even if bid is very little. And index will be updated even if it bid is lesser than previous with true status. it will update the index even if bid is lesser than previous it just should be above 0 with true status and index will be updated. Resulting in wrong bidder returning for that index./hardhat/smart-contracts/AuctionDemo.sol#L87-L100
Impact
Due to returning wrong bidder. Bidder will not match with the highest bid because
returnHighestBid
function is working fine and returning highest bid amount.returnHighestBidder
returning wrong bidder. Due to this mismatchclaimAuction
can never transfer NFT to highest bidder. Also the bid value for all these bidders will be transferred to them. It makes the wholeAuctionDemo.sol
contract useless.In
claimAuction
function ifhighestBid
is correct andhighestBidder
is wrong than both will mismatches. And due to this both won't be found simultaneously at same index.Then
highestBid
will be of different bidder. And current bidder's bid is not highest due to this mismatch , both condition at line 111 inif(auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid
will never be simultaneously true at same index resulting in that if condition at line 111 will always be false.They both will be from different index in array. To pass this condition both should be on same index. For that both highestBid and highestBidder should be correct which is not correct currently.
So it will trigger only second else if(){} block(line 115) of this function and all the ethers of all the bidders including highest bidder will be transferred to the bidders addresses. And makes the whole
Auction.Demo
contract useless.hardhat/smart-contracts/AuctionDemo.sol##L104-L120
Tools Used
Manual Review
Recommended Mitigation Steps
Add the missing line into
returnHighestBidder
function so that it can return right highest bidder. And so it can match with it's highest bid and work fine as intended.Assessed type
Other