Closed c4-submissions closed 7 months ago
a2rocket (sponsor) disputed
mintAndAuction mints a token to a trusted wallet, that wallet will setApprovalForAll also.
141345 marked the issue as duplicate of #245
141345 marked the issue as not a duplicate
141345 marked the issue as duplicate of #364
alex-ppg marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L112
Vulnerability details
Impact
The vulnerability in the AuctionDemo contract has a significant impact on the ability of auction winners to claim their NFTs. The root cause of the vulnerability is that the AuctionDemo contract fails to check whether it owns or has approval to transfer the NFT token being auctioned before open participation. If the contract doesn't own the token or have the necessary approval, the winner will be unable to claim the auctioned NFT.
Proof of Concept
To demonstrate this vulnerability, consider a scenario in which the admin starts an auction in the AuctionDemo contract via
minter.mintAndAuction
call but sets the recipient for the NFT to an address that is not equal toaddress(AuctionDemo)
. When a participant becomes the winner and attempts to claim the NFT, the contract fails to transfer it due to the lacking ownership.minter.mintAndAuction
to start an auction, but the recipient for the NFT token is set to an address that doesn't belong to the AuctionDemo contract.participateToAuction
function, and one of them becomes the winner.Tools Used
Manual Review
Recommended Mitigation Steps
To mitigate this issue, it is recommended to implement a check to ensure that the AuctionDemo contract either owns the NFT or has the necessary approval to transfer the token before allowing participants to join the auction.
Assessed type
Access Control