Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 127/243
Findings: 3
Award: $5.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
Malicious bidders can steal ETH twice the amount they bid by exploiting cross-function reentrancy.
Consider the following scenario with participants Alice, Bob, and Bob's second account (let's call it Ron) in the auction:
1)Alice, Ron, and Bob bid 1 ETH, 2 ETH, and 3 ETH, respectively.
2)Bob, as the highest bidder, calls claimAuction when block.timestamp == minter.getAuctionEndTime(_tokenId).
3)The claimAuction function also refunds the amount to the bidders who lost the auction. Once the winner claims the auction or the function admin calls it.
4)During the loop iteration, the amount is refunded to Ron. Ron can then re-enter the cancelBid function to cancel the bid as soon as it receives the funds, effectively receiving the funds twice, Ron receives 4 ETH.
5)Upon the loop's third iteration, the NFT is sent to the winner, and the function execution finishes.
Link to relevant code - Line 116
Link to relevant code - Line 124
vscode
Ensure that the claimAuction function is called only after the auction has ended.
- require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true); + require(block.timestamp > minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true);
Reentrancy
#0 - c4-pre-sort
2023-11-15T05:24:38Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-04T21:41:57Z
alex-ppg marked the issue as duplicate of #1323
#2 - c4-judge
2023-12-08T17:49:06Z
alex-ppg marked the issue as partial-50
🌟 Selected for report: The_Kakers
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0xJuda, 0x_6a70, 0xarno, 0xpiken, Arabadzhiev, Bauchibred, BugsFinder0x, BugzyVonBuggernaut, ChrisTina, DeFiHackLabs, Delvir0, HChang26, Haipls, Jiamin, Juntao, KupiaSec, Madalad, Neon2835, Nyx, Ocean_Sky, SpicyMeatball, Talfao, Taylor_Webb, Timenov, Tricko, ZdravkoHr, _eperezok, alexxander, amaechieth, bdmcbri, bronze_pickaxe, circlelooper, crunch, cu5t0mpeo, dimulski, fibonacci, funkornaut, immeas, ke1caM, lsaudit, nuthan2x, r0ck3tz, rotcivegaf, spark, tnquanghuy0512, twcctop, xeros
0.4703 USDC - $0.47
The winner of the auction can render the claimAuction function useless for a particular ID by bidding through a smart contract and not adding the onERC721Received callback hook. This callback is called by the NFT contract to ensure that the smart contract is capable of receiving and transferring the NFT. The malicious bidder will lose funds for a particular auction, and other bidders will not receive refunds because the function will revert each time.
Consider the following scenario with participants Alice and Bob in the auction:
A) Alice bids 1 ETH for tokenId = 2.
B) Other bidders participate in the auction for the same tokenId.
C) Bob places the highest bid (for tokenId = 2) and becomes the winner of the auction after it ends. However, he bid using a smart contract that did not implement the onERC721Received callback hook, either intentionally or unintentionally.
D) If the winner or admin calls the claimAuction function for the same tokenId, IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenId); will revert. This is because the callback checks whether the recipient contract is capable of receiving ERC721, but in this case, it is not, resulting in a revert.
Link to relevant code - Line 112
VSCode
Use transferFrom instead of safeTransferFrom.
DoS
#0 - c4-pre-sort
2023-11-20T13:57:07Z
141345 marked the issue as duplicate of #486
#1 - c4-judge
2023-12-01T22:09:44Z
alex-ppg marked the issue as not a duplicate
#2 - c4-judge
2023-12-01T22:10:07Z
alex-ppg marked the issue as duplicate of #1759
#3 - c4-judge
2023-12-08T22:05:36Z
alex-ppg marked the issue as partial-50
#4 - c4-judge
2023-12-09T00:23:42Z
alex-ppg changed the severity to 2 (Med Risk)
🌟 Selected for report: HChang26
Also found by: 0x3b, 0xMAKEOUTHILL, 0xSwahili, 0xarno, ABA, DeFiHackLabs, Eigenvectors, Haipls, Kow, MrPotatoMagic, Neon2835, Nyx, Zac, alexfilippov314, ayden, c3phas, immeas, innertia, lsaudit, merlin, mojito_auditor, oakcobalt, ohm, oualidpro, peanuts, phoenixV110, sces60107, t0x1c, tnquanghuy0512, ubl4nk, volodya, xAriextz
5.4864 USDC - $5.49
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L58 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L58
In the AuctionDemo.sol contract, a bidder can participate in the auction using the participateToAuction function. However, there is an edge case where bidders can lose money if they bid when block.timestamp == AuctionEndTime and their transaction is below the winner's transaction in the block. In this scenario, the winner may intentionally or unintentionally pay a high gas fee to include their transaction at the top of the block, causing other transactions to be processed after theirs. Participants cannot cancel their bids because the time would have passed, and there is no recovery function to retrieve ETH from the contract.
Let's consider the following scenario with participants Alice, Ron, and Bob in the auction:
vscode
start claiming of auction only after bidding is finished
Other
#0 - c4-pre-sort
2023-11-20T13:54:33Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-02T15:33:07Z
alex-ppg marked the issue as not a duplicate
#2 - c4-judge
2023-12-02T15:35:00Z
alex-ppg marked the issue as duplicate of #1926
#3 - c4-judge
2023-12-08T18:49:33Z
alex-ppg marked the issue as partial-50
#4 - c4-judge
2023-12-09T00:21:41Z
alex-ppg changed the severity to 2 (Med Risk)