Not winning bid funds refund is not checked for success or failure, so that any previous bid _auction.amount can be lost.
Summary
Function _safeTransferETHWithFallback refunds the previous bid amount, of latest bigger one, to bidder, but does not return any boolean value. If the transfer fails, funds will never be refunded.
Vulnerability Detail
When a bigger bid is created by NounsAuctionHouseV2.sol::createBid, the previous winning bid is payed back by NounsAuctionHouseV2.sol::_safeTransferETHWithFallback.
nouns-contracts/contracts/NounsAuctionHouseV2.sol#L165
if (lastBidder != address(0)) {
@> _safeTransferETHWithFallback(lastBidder, _auction.amount);
}
_safeTransferETHWithFallback is void, there is no boolean value returned. In case the transfer of the funds fails, the auction continues normally, but without any funds returned to last bidder.
nouns-contracts/contracts/NounsAuctionHouseV2.sol#L304-L309
function _safeTransferETHWithFallback(address to, uint256 amount) internal {
if (!_safeTransferETH(to, amount)) {
IWETH(weth).deposit{ value: amount }();
IERC20(weth).transfer(to, amount);
}
}
A revert could be triggered here, when this transfer fails, but maybe it's too much. By emitting an event the DAO knows, if the funds were really transferred, to correct the issue.
gkelis
medium
Not winning bid funds refund is not checked for success or failure, so that any previous bid
_auction.amount
can be lost.Summary
Function
_safeTransferETHWithFallback
refunds the previous bid amount, of latest bigger one, to bidder, but does not return any boolean value. If the transfer fails, funds will never be refunded.Vulnerability Detail
When a bigger bid is created by
NounsAuctionHouseV2.sol::createBid
, the previous winning bid is payed back byNounsAuctionHouseV2.sol::_safeTransferETHWithFallback
. nouns-contracts/contracts/NounsAuctionHouseV2.sol#L165_safeTransferETHWithFallback
is void, there is no boolean value returned. In case the transfer of the funds fails, the auction continues normally, but without any funds returned to last bidder. nouns-contracts/contracts/NounsAuctionHouseV2.sol#L304-L309This issue is also valid for the contract NounsAuctionHouse.sol, instead of NounsAuctionHouseV2.sol, which is described here. Everything is the same, but the links are: https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouse.sol#L118-L120, https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouse.sol#L246-L251
Impact
Previous bid funds, can be trapped in DAO, when a bigger bid happens, if the refund transfer fails.
Code Snippet
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouseV2.sol#L163-L166
Tool used
Manual Review
Recommendation
Change
NounsAuctionHouseV2.sol::_safeTransferETHWithFallback
to return a boolean.Check if
_safeTransferETHWithFallback
has succeeded.A revert could be triggered here, when this transfer fails, but maybe it's too much. By emitting an event the DAO knows, if the funds were really transferred, to correct the issue.