Risk of Permanent ETH Loss for Bidders

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L116-L117

Vulnerability details

Impact

There's a risk of ETH becoming irretrievably locked in the contract if a bidder's address is a contract with either complex logic in its receive() function or no receive() function at all. In such cases, ETH transfers to these addresses could fail and result in permanent loss.

Proof of Concept

-The claimAuction function iterates through auction participants, attempting to return their ETH bids. However, it fails to verify the success of these transactions. This is evident in the line: (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");, where success is not checked. -The contract currently lacks mechanisms to handle failed ETH transfers. As a result, a bidder's funds can be lost indefinitely if the transfer to their contract address fails.

Tools Used

manual review

Recommended Mitigation Steps

• Implement checks to verify the success of ETH transfers. If a transfer fails, the contract should have a mechanism to handle the situation, such as allowing bidders to manually withdraw their funds.

Assessed type

ETH-Transfer

[c4-pre-sort]

141345 marked the issue as duplicate of #27

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Out of scope

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Out of scope