Closed c4-submissions closed 7 months ago
141345 marked the issue as duplicate of #1632
141345 marked the issue as duplicate of #843
141345 marked the issue as duplicate of #486
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as primary issue
alex-ppg marked issue #1785 as primary and marked this issue as a duplicate of 1785
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as duplicate of #734
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Description
claimAuction
is used to redeem the auction's ERC-721 and refund all bidders that didn't win the auction. In this process, callbacks are sent to every single bidder via low-level calls (that triggers fallbacks/receives) andERC721.safeTransferFrom
. So, every bidder has an access to a callback whenclaimAuction
is called, which makes possible to any of them to perma-revert the function via gas-griefing.Proof of Concept
Auction has ended and the winner calls
claimAuction
:If an attacker is a bidder that lost the auction, he needs to be refunded. So, the following line will call him:
If attacker is a smart contract,
fallback/receive
will be triggered to handle the received ether. In this callback, attacker can gas-grief returning a very long string:The gas-grief will revert
claimAuction
, potentially perma-locking all the funds and the prize in the contract, because there are no other function to claim the refunds or the prize. Also, there is no emergency withdraw function.If luckily there weren't any auction's loser trying to gas-grief, the winner can also denial of service the function if he wants. The line
IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid);
triggers a callback, which winner can use to revert:Impact
Any bidder can lock all the funds and the prize forever.
Tools Used
Manual Review
Recommended Mitigation Steps
Claims and refunds needs to be individual, so add a function to individually refund and make
claimAuction
a function that only transfers the ERC-721.Assessed type
DoS