Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 94/243
Findings: 2
Award: $25.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104
The vulnerability in the auction implementation enables an attacker to steal the NFT through a two-step bidding strategy. Initially, the attacker places a bid with the minimum amount, followed by a second bid featuring an excessively large and undesirable amount. The purpose of the second bid is to prevent other users from surpassing the attacker's bid. Subsequently, the attacker can cancel the highest bid just before the auction concludes. Consequently, the attacker only needs to expend the minimum amount to seize the NFT, resulting in acquiring the NFT with a nominal cost.
Step 1: Attacker places the initial bid with the minimum amount
participateToAuction(tokenId) with minAmount as msg.value
Step 2: Attacker places a second bid with a very large amount, this will prevent other users to participate the bidding.
participateToAuction(tokenId) with largeAmount as msg.value
Step 3: Attacker cancels the highest bid just before the auction end time
cancelBid(tokenId, index_of_highestBidId)
Step 4: Auction ends, and the attacker claims the auction with the minAmount
claimAuction(tokenId)
Result: The attacker successfully acquires the NFT by only spending the minimum amount.
Manual Review
Implement code to outbid the bidders previous bid while placing a new bid.
ERC721
#0 - c4-pre-sort
2023-11-14T09:57:07Z
141345 marked the issue as duplicate of #1904
#1 - c4-pre-sort
2023-11-14T23:31:53Z
141345 marked the issue as duplicate of #962
#2 - c4-judge
2023-12-02T15:11:51Z
alex-ppg marked the issue as not a duplicate
#3 - c4-judge
2023-12-02T15:13:37Z
alex-ppg marked the issue as duplicate of #1784
#4 - c4-judge
2023-12-07T11:51:28Z
alex-ppg marked the issue as duplicate of #1323
#5 - c4-judge
2023-12-08T17:14:47Z
alex-ppg marked the issue as partial-25
#6 - c4-judge
2023-12-08T17:27:47Z
alex-ppg marked the issue as satisfactory
#7 - c4-judge
2023-12-08T17:40:47Z
alex-ppg marked the issue as partial-25
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134
The existing implementation of AuctionDemo permits malicious users to manipulate the bidding process. These users strategically place counter bids for each highest bid, inflating the NFT price. They then cancel all the bids just before the auction concludes. As a consequence, other bidders are compelled to pay inflated amounts to claim the NFT.
Step 1: Malicious user places counter bids to inflate the NFT price
Malicious user participateToAuction(tokenId) with highestBidAmount + incrementAmount1 as msg.value
Malicious user participateToAuction(tokenId) with highestBidAmount + incrementAmount2 as msg.value
Repeats when a user place a new bid.
Step 2: Malicious user cancels all the bids or the highest bid just before concluding the auction
cancelAllBids()
Result: Other bidders need to pay high amounts to claim the NFT due to manipulated bids.
Manual Review
Prevent users from canceling their bid if they are the highest bidder. This measure compels the highest bidder or any potential malicious user to proceed with claiming the NFT rather than canceling the bid.
Other
#0 - c4-pre-sort
2023-11-15T00:58:41Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-02T15:11:49Z
alex-ppg marked the issue as not a duplicate
#2 - c4-judge
2023-12-02T15:13:33Z
alex-ppg marked the issue as duplicate of #1784
#3 - c4-judge
2023-12-07T11:51:29Z
alex-ppg marked the issue as duplicate of #1323
#4 - c4-judge
2023-12-08T17:14:45Z
alex-ppg marked the issue as partial-25
#5 - c4-judge
2023-12-08T17:27:47Z
alex-ppg marked the issue as satisfactory
#6 - c4-judge
2023-12-08T17:36:15Z
alex-ppg marked the issue as partial-25
🌟 Selected for report: bird-flu
Also found by: 00decree, 0xAadi, AS, Audinarey, DeFiHackLabs, Eigenvectors, Fitro, Hama, Kaysoft, Krace, REKCAH, SovaSlava, The_Kakers, Viktor_Cortess, cartlex_, degensec, devival, evmboi32, funkornaut, jacopod, openwide, peanuts, rotcivegaf, smiling_heretic, xAriextz, xiao
25.2356 USDC - $25.24
The NFT owner is unable to receive any Ether upon the conclusion of the auction. The code implemented in claimAuction() incorrectly transfers the winning bid amount to the contract owner rather than the NFT owner. This results in unfavorable circumstances within the auction process.
See line number 113, which transferring the highestBid to the contract owner, rather than ownerOfToken.
File: smart-contracts/AuctionDemo.sol 113: @> (bool success, ) = payable(owner()).call{value: highestBid}(""); 114: emit ClaimAuction(owner(), _tokenid, success, highestBid);
Manual Review
Use ownerOfToken instead of owner() in line number 113
for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) { if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) { IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid); - (bool success, ) = payable(owner()).call{value: highestBid}(""); + (bool success, ) = payable(ownerOfToken).call{value: highestBid}(""); emit ClaimAuction(owner(), _tokenid, success, highestBid); } else if (auctionInfoData[_tokenid][i].status == true) { (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
ETH-Transfer
#0 - c4-pre-sort
2023-11-20T14:24:20Z
141345 marked the issue as duplicate of #245
#1 - c4-judge
2023-12-08T22:25:18Z
alex-ppg marked the issue as satisfactory
#2 - c4-judge
2023-12-09T00:22:22Z
alex-ppg changed the severity to 2 (Med Risk)