Potential Risk:
The 'createBid' function in the contract is responsible for allowing users to place bids on a Verb auction by sending Ether. While the function includes several checks, it lacks explicit input validation for certain parameters, which could lead to potential issues if the provided parameters are not valid or expected.
Proof of Concept (PoC):
Consider a scenario where a malicious user calls the 'createBid' function with invalid input parameters:
// Invalid input: Zero address for 'bidder'
createBid(123, address(0));
In this PoC, the 'createBid' function is called with a zero address for 'bidder.' The lack of input validation checks allows this invalid value to be accepted during the bid creation process, potentially causing runtime errors or issues in the contract.
Recommended Mitigation Steps:
To enhance input validation in the 'createBid' function and mitigate potential risks, consider adding input validation checks for the following conditions:
Ensure that 'bidder' is a valid non-zero Ethereum address.
require(bidder != address(0), "Bidder cannot be a zero address");
require(_auction.verbId == verbId, "Verb not up for auction");
require(block.timestamp < _auction.endTime, "Auction expired");
require(msg.value >= reservePrice, "Must send at least reservePrice");
require(
msg.value >= _auction.amount + ((_auction.amount * minBidIncrementPercentage) / 100),
"Must send more than the last bid by minBidIncrementPercentage amount"
);
address payable lastBidder = _auction.bidder;
auction.amount = msg.value;
auction.bidder = payable(bidder);
// Extend the auction if the bid was received within 'timeBuffer' of the auction end time
bool extended = _auction.endTime - block.timestamp < timeBuffer;
if (extended) auction.endTime = _auction.endTime = block.timestamp + timeBuffer;
// Refund the last bidder, if applicable
if (lastBidder != address(0)) _safeTransferETHWithFallback(lastBidder, _auction.amount);
emit AuctionBid(_auction.verbId, bidder, msg.sender, msg.value, extended);
if (extended) emit AuctionExtended(_auction.verbId, _auction.endTime);
}
In this solution:
We've added an input validation check to ensure that 'bidder' is a valid non-zero Ethereum address.
This change helps prevent the use of invalid or zero addresses, enhancing the input validation of the 'createBid' function.
By implementing this solution, you can reduce the risk of issues related to invalid or unexpected input parameters when users create bids.
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L171
Vulnerability details
Potential Risk: The 'createBid' function in the contract is responsible for allowing users to place bids on a Verb auction by sending Ether. While the function includes several checks, it lacks explicit input validation for certain parameters, which could lead to potential issues if the provided parameters are not valid or expected.
Proof of Concept (PoC): Consider a scenario where a malicious user calls the 'createBid' function with invalid input parameters:
// Invalid input: Zero address for 'bidder' createBid(123, address(0));
In this PoC, the 'createBid' function is called with a zero address for 'bidder.' The lack of input validation checks allows this invalid value to be accepted during the bid creation process, potentially causing runtime errors or issues in the contract.
Recommended Mitigation Steps: To enhance input validation in the 'createBid' function and mitigate potential risks, consider adding input validation checks for the following conditions:
Here's a recommended solution:
function createBid(uint256 verbId, address bidder) external payable override nonReentrant { IAuctionHouse.Auction memory _auction = auction;
}
In this solution:
By implementing this solution, you can reduce the risk of issues related to invalid or unexpected input parameters when users create bids.
Assessed type
Invalid Validation