Closed c4-submissions closed 7 months ago
141345 marked the issue as duplicate of #962
alex-ppg marked the issue as not a duplicate
The Warden specifies that if the highest bidder is the bidder of multiple bids, the claimAuction
loop will incorrectly distribute the highestBid
to the owner
of the contract multiple times.
This submission is incorrect as the Warden has failed to identify that the if
clause which protects the owner
transfer's execution strictly evaluates that the highestBid
of the overall auction is equal to the bid that is being processed. Coupled with the fact that bids are mandated to be greater than the previous one and canceled bids aren't processed, this submission is incorrect.
alex-ppg marked the issue as unsatisfactory: Invalid
alex-ppg marked the issue as primary issue
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104
Vulnerability details
Impact
Due to the way the
claimAuction
function is written, it is also possible to drain the contract when sending bids back to users. This can only happen if the highestBidder made multiple bids which is likely.Proof of Concept
In this section of the
claimAuction
functionThis function
(bool success, ) = payable(owner()).call{value: highestBid}("");
specifically transfers thehighestBid
every time the highestBidder bids is called in the loop.So for a case where the highestBidder bids 0.5Eth, 0.7Eth, 0.8Eth, 1.2Eth bids and 1.5Eth as the winning bid for the auction, the
claimAuction
function will transfer our 1.5 * 5 out of the contract.In a best-case scenario, the contract is drained to the owner wallet, and in the worst-case scenario it'll be impossible to claim the auction NFT in a case where total of Eth left is not up to 7.5Eth,
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
ETH-Transfer