Closed c4-submissions closed 6 months ago
141345 marked the issue as sufficient quality report
a2rocket (sponsor) confirmed
The Warden specifies that the Sponsor should introduce some form of emergency withdrawal mechanism in their Auction system.
While a correct recommendation, the warden relies on a separate exhibit to justify it which I deem invalid. Additionally, funds cannot be accidentally sent to the contract as it has no receive
mechanism or other payable
method and can only accept funds "deliberately" (i.e. recipient of coin base rewards or selfdestruct
recipient).
As such, I will downgrade to QA.
alex-ppg changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L0-L151
Vulnerability details
Description
AuctionDemo.sol
has no function to rescue funds. So, any non-bidder ether sent to the contract is forever lost. Also, as my other reports states, the contract is vulnerable to gas-griefing and out-of-gas error, which are attacks that locks funds and can be softened if a emergency withdraw function exists.Proof of Concept
Impact
Protocol can't rescue funds from attacks or mistakes.
Tools Used
Manual Review
Recommended Mitigation Steps
Add an
emergencyWithdraw
function.Assessed type
ETH-Transfer