Open c4-submissions opened 11 months ago
141345 marked the issue as duplicate of #245
alex-ppg marked the issue as satisfactory
After re-visiting, I consider this submission to be better than #738 because it also correctly specifies that the event
should be fixed rather than just the statement. While I cannot penalize submissions for not including the event
in their proposed remediations, I can mark a submission that cites it and is of equivalent quality as "best".
alex-ppg marked the issue as selected for report
Hi @alex-ppg , here is why I believe this issue is QA at most:
Thank you for taking the time to read this.
Hey @mcgrathcoutinho, thanks for contributing! The code goes against its specification and breaks an invariant of the protocol. Regardless of severity, an invariant being broken will always be considered a medium-risk issue given that it relates to pivotal functionality in the system being incorrect.
In this case, funds are sent to a NextGen address rather than a collection-affiliated address or secondary smart contract meant to facilitate fund disbursements. This has implications tax-wise, implications about trust (i.e. if a 10m auction is held, the stakes of trust are increased significantly), and other such problems. Logistically, it is also a heavy burden to manage multiple auction payments at once, prove which source sent which, and so on.
Combining the above with the fact that a clear invariant of the protocol is broken, I will maintain the medium-risk rating.
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L113-L114
Vulnerability details
Summary
At the end of an auction in AuctionDemo, the highest bidder claims the token, this transfers the token from the token owner to the auction winner. In the same transaction, the token owner should receive the auction payout.
However, the function
AuctionDemo::claimAuction()
sends the payout to the AuctionDemo contract owner. This behavior deviates from the listed invariantThe highest bidder will receive the token after an auction finishes, the owner of the token will receive the funds and all other participants will get refunded
.alice
deployed the AuctionDemo contract andcecilia
approved the AuctionDemo contract to transfer her token to the winning bidder.bob
.bob
claims his winnings. The token is transfered fromcecilia
tobob
. The bid frombob
is sent toalice
.cecilia
gets nothing.Impact
Any auction executed through AuctionDemo will have proceeds sent to the AuctionDemo contract owner, not the token owner. The token owner is left without auction proceeds.
PoC
Tools Used
Manual Review
Recommendations
ownerOfToken
instead of owner.AuctionDemo L113-L114
Assessed type
ETH-Transfer