There's a risk of ETH becoming irretrievably locked in the contract if a bidder's address is a contract with either complex logic in its receive() function or no receive() function at all. In such cases, ETH transfers to these addresses could fail and result in permanent loss.
Proof of Concept
-The claimAuction function iterates through auction participants, attempting to return their ETH bids. However, it fails to verify the success of these transactions.
This is evident in the line:
(bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");, where success is not checked.
-The contract currently lacks mechanisms to handle failed ETH transfers. As a result, a bidder's funds can be lost indefinitely if the transfer to their contract address fails.
Tools Used
manual review
Recommended Mitigation Steps
Implement checks to verify the success of ETH transfers. If a transfer fails, the contract should have a mechanism to handle the situation, such as allowing bidders to manually withdraw their funds.
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L116-L117
Vulnerability details
Impact
There's a risk of ETH becoming irretrievably locked in the contract if a bidder's address is a contract with either complex logic in its receive() function or no receive() function at all. In such cases, ETH transfers to these addresses could fail and result in permanent loss.
Proof of Concept
-The claimAuction function iterates through auction participants, attempting to return their ETH bids. However, it fails to verify the success of these transactions. This is evident in the line:
(bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
, where success is not checked. -The contract currently lacks mechanisms to handle failed ETH transfers. As a result, a bidder's funds can be lost indefinitely if the transfer to their contract address fails.Tools Used
manual review
Recommended Mitigation Steps
Assessed type
ETH-Transfer