Back to Silvermist's contests

NextGen - Silvermist's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 209/243

Findings: 1

Award: $0.00

๐ŸŒŸ Selected for report: 0

๐Ÿš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

๐ŸŒŸ Selected for report: smiling_heretic

Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie

Awards

0 USDC - $0.00

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-1323

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134-L143 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L135

Vulnerability details

Impact

The logic behind the claimAuction is that higgestBidder receives the NFT and its bid is transferred to the owner of the NFT. The other participants in the auction get back their money back.

There is a function cancelBid which allows users to cancel thะตir bid before the auction's end and get their money back. The problem here occures because of the check in the cancelBid require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");. It allows users to cancel their bid before the end of the auction or exactly when the auction ends.

If claimAuction and cancelBid are executed in the same block on block.timestamp == minter.getAuctionEndTime(_tokenid), the winner can get the NFT for free or a bidders can return its bid even though it has already been returned.

Proof of Concept

A possible scenario:

  1. Bob sends the higgest bid, so he can become the winner.
  2. The winner(which will be Bob) calls claimAuction as soon as the auction ends so block.timestamp == minter.getAuctionEndTime(_tokenid) and gets the NFT.
  3. Immediatelly after that, Bob calls cancelBid and because of the require that allows the function to be called on the auction end timestamp, he can get his money.
  4. Bob ends with the NFT and as he was able to call the cancelBid and return his money, the NFT is free for him.

Another possible scenario: Although all bidder's money (except the winner's) are returned in this else if. A bidder can call cancelBid on block.timestamp == minter.getAuctionEndTime(_tokenid) and retrieve its bid even though it has already been returned.

Tools Used

Manual Review

cancelBid and cancelAllBids should allow bidder to cancel its bid only before auction end

    function cancelBid(uint256 _tokenid, uint256 index) public {
-       require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
+       require(block.timestamp < minter.getAuctionEndTime(_tokenid), "Auction ended");
        require(auctionInfoData[_tokenid][index].bidder == msg.sender && auctionInfoData[_tokenid][index].status == true);
        auctionInfoData[_tokenid][index].status = false;
        (bool success, ) = payable(auctionInfoData[_tokenid][index].bidder).call{value: auctionInfoData[_tokenid][index].bid}("");
        emit CancelBid(msg.sender, _tokenid, index, success, auctionInfoData[_tokenid][index].bid);
    }

Assessed type

Other

#0 - c4-pre-sort

2023-11-17T08:41:32Z

141345 marked the issue as duplicate of #962

#1 - c4-judge

2023-12-01T14:49:33Z

alex-ppg marked the issue as not a duplicate

#2 - c4-judge

2023-12-01T14:49:42Z

alex-ppg marked the issue as duplicate of #1788

#3 - c4-judge

2023-12-08T17:48:18Z

alex-ppg marked the issue as satisfactory

#4 - c4-judge

2023-12-09T00:20:29Z

alex-ppg changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax ยฉ 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter