Closed c4-submissions closed 7 months ago
141345 marked the issue as duplicate of #962
alex-ppg marked the issue as duplicate of #1323
alex-ppg marked the issue as partial-50
alex-ppg marked the issue as full credit
alex-ppg marked the issue as partial-50
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L111-L114 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130
Vulnerability details
Impact
Vulnerability allows the highest bidder (the auction winner) to reclaim their bid amount while also receiving the NFT.
Proof of Concept
The vulnerability stems from the timing of checks in the claimAuction and cancelBid functions and reentrancy.
claimAuction
function only proceeds if the auction has ended, as verified byrequire(block.timestamp >= minter.getAuctionEndTime(_tokenid))
cancelBid
function can be invoked as long as the auction hasn't ended, checked viarequire(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended")
safeTransferFrom
to transfer the NFT leads to a reentrancy attack. If the highestBidder is a contract with malicious logic in onERC721Received, it will invokecancelBid
and pass allrequire
statements, and get his ETH back.success
ofpayable(owner()).call{value: highestBid}("")
didn't check.Tools Used
Manual code review
Recommended Mitigation Steps
claimAuction
andcancelBid
.claimAuction
function to prevent reentrancy. eg addauctionInfoData[_tokenid][index].status = false;
beforesafeTransferFrom
Assessed type
Reentrancy