search

code-423n4 / 2023-12-revolutionprotocol-findings

3 stars 2 forks source link

auction.endTime can be increase using timeBuffer. #728

Closed c4-bot-2 closed 10 months ago

c4-bot-2 commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L192

Vulnerability details

Impact

Detailed description of the impact of this finding. Here if we create a bid in an extended time then we can create an infinite loop of extended time and our auction.endTime will increase as infinity.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

function createBid(uint256 verbId, address bidder) external payable override nonReentrant { IAuctionHouse.Auction memory _auction = auction;

    //require bidder is valid address
    require(bidder != address(0), "Bidder cannot be zero address");
    require(_auction.verbId == verbId, "Verb not up for auction");
    //slither-disable-next-line timestamp
    require(block.timestamp < _auction.endTime, "Auction expired");
    require(msg.value >= reservePrice, "Must send at least reservePrice");
    require(
        msg.value >= _auction.amount + ((_auction.amount * minBidIncrementPercentage) / 100),
        "Must send more than last bid by minBidIncrementPercentage amount"
    );

    address payable lastBidder = _auction.bidder;

    auction.amount = msg.value;
    auction.bidder = payable(bidder);

    // Extend the auction if the bid was received within `timeBuffer` of the auction end time
 @   bool extended = _auction.endTime - block.timestamp < timeBuffer;
  @  if (extended) auction.endTime = _auction.endTime = block.timestamp + timeBuffer;

    // Refund the last bidder, if applicable
    if (lastBidder != address(0)) _safeTransferETHWithFallback(lastBidder, _auction.amount);

    emit AuctionBid(_auction.verbId, bidder, msg.sender, msg.value, extended);

    if (extended) emit AuctionExtended(_auction.verbId, _auction.endTime);
}

Tools Used

Manual Analysis

Recommended Mitigation Steps

Assessed type

Context

c4-pre-sort commented 10 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #112

c4-judge commented 9 months ago

MarioPoneder changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

MarioPoneder marked the issue as grade-c