Closed c4-submissions closed 7 months ago
141345 marked the issue as primary issue
141345 marked the issue as duplicate of #1172
alex-ppg marked the issue as not a duplicate
The Warden specifies a potential issue in the way bids are eligible to be canceled after the claimAuction
function is executed, however, they fail to properly articulate how or why.
alex-ppg marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
Bidders funds will get stuck
Proof of Concept
After Auction winner claims token, his/her status is not set to false so he is eligible for a refund because the refund logic checks for all indexes with status set to true, which not supposed to be so. So the refund transaction will not be successful because the funds to be refunded are less than the amount of users that are eligible to receive a refund. And users cannot cancel bid because Auction is over, so the function wont work
function cancelBid(uint256 _tokenid, uint256 index) public { require( block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended"
function cancelAllBids(uint256 _tokenid) public { require( block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended" );
The claim/refund function is in the link description
Tools Used
Manual Review
Recommended Mitigation Steps
Add a line of code that sets that Auctionwinner bid index to false.
Assessed type
Other