c4-sponsor
commented
7 months ago a2rocket (sponsor) disputed
Closed c4-submissions closed 7 months ago
c4-sponsor
commented
7 months ago a2rocket (sponsor) disputed
a2rocket
commented
7 months ago this was already reported on bot racer report.
c4-pre-sort
commented
7 months ago 141345 marked the issue as sufficient quality report
c4-judge
commented
7 months ago alex-ppg marked the issue as duplicate of #2038
c4-judge
commented
7 months ago alex-ppg marked the issue as unsatisfactory: Out of scope
c4-judge
commented
7 months ago alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L87 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L65
Vulnerability details
Impact
In the
claimAuctionfunction there is a high possibility of DOS where the auction winner is unable to claim the NFT due to high gas cost or not enough gas, this is due to the functions having three loops on same array of all bids, they are in thereturnHighestBid,returnHighestBidderand also in theclaimAuctionfunction.Proof of Concept
Claiming a popular auction might be difficult due to this, as there will be a lot of bidders and bids could make looping through the auctionData array very difficult or impossible in that same block.
Tools Used
Manual Review
Recommended Mitigation Steps
claimAuction, it can be reduced to one loopAssessed type
DoS