Frontrunning the highest winning bid and having users funds permanently blocked can happen by bidding in the same block as the wining claim

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L57-L58 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L105

Vulnerability details

Summary

Biding in an auction (via auctionDemo::participateToAuction) and claiming the NFT at the end of an auction (via auctionDemo::claimAuction) can be called in the same block. This introduces 2 major issues:

• Exactly in the block when an auction is finished, a user may frontrun the call to claimAuction with his own participateToAuction (or simply call participateToAuction directly it nobody called claimAuction) and win simply by adding 1 WEI over the previous las winning bid, then himself call claimAuction in the same block and retrieve the NFT. Thus winning the NFT auction by 1 WEI.
• If a normal user bids in the same block when claimAuction is called but his transaction is after the claimAuction, it will not revert and he will lose his funds forever since after that block, the cancel bids functions will not work any more

Vulnerability Details

After an auction has started users can bid using auctionDemo::participateToAuction and when the auction is finished, the winner or admin can call auctionDemo::claimAuction to refund non-winners and send the NFT to the winner.

auctionDemo::participateToAuction and auctionDemo::claimAuction can be called in the same block because:

• participateToAuction checks: block.timestamp <= minter.getAuctionEndTime(_tokenid)
• claimAuction checks: block.timestamp >= minter.getAuctionEndTime(_tokenid)

thus in the moment block.timestamp == minter.getAuctionEndTime(_tokenid) both can be called.

cancelAllBids and cancelBid also check as so block.timestamp <= minter.getAuctionEndTime(_tokenid), to note they will not be callable after the end time has passed, making bids after the claimAuction

Impact

NFT winning bid may be frontrun and surpassed with 1 WEI and users may have ETH forever blocked in the contract.

Tools Used

Manual review

Recommendations

Do not allow participateToAuction and claimAuction to be called at the same time.

Assessed type

Timing

[c4-pre-sort]

141345 marked the issue as duplicate of #962

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1926

[c4-judge]

alex-ppg marked the issue as partial-50

[c4-judge]

alex-ppg changed the severity to 2 (Med Risk)