Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 221/243
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
The requirements for executing claimAuction() and cancelBid()/cancelAllBids() are currently set as block.timestamp <= minter.getAuctionEndTime(_tokenid) and block.timestamp >= minter.getAuctionEndTime(_tokenid), respectively. However, within a single block, the block.timestamp remains the same, which could be set by the miner. As a result, if a miner set the block.timestamp = minter.getAuctionEndTime(_tokenid), both conditions could be satisfied simultaneously. In such a case, the winner can not only claim the auctioned NFT but also withdraw the invested ETH by calling the cancelBid()/cancelAllBids() in the same block. Since claimAuction() does not verify whether all bidders have received a refund (i.e., whether transferfrom() was successfully executed), the winner can obtain the auctioned NFT at no cost, and some participants in the auction may incur losses (not winning the NFT and unable to retrieve the bidding ETH).
Here are the steps of the attack:
block.timestamp as the same to the end time of the auction.participateToAuction() to place the highest bid and win the auction. Immediately afterward, the miner calls claimAuction() and cancelBid().Manual Review
It is recommended that the project modify the conditions for claimAuction() and cancelBid()/cancelAllBids() to block.timestamp < minter.getAuctionEndTime(_tokenid) and block.timestamp > minter.getAuctionEndTime(_tokenid), respectively (by removing the equal sign).
Timing
#0 - c4-pre-sort
2023-11-15T07:16:53Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-01T15:11:19Z
alex-ppg marked the issue as not a duplicate
#2 - c4-judge
2023-12-01T15:11:28Z
alex-ppg marked the issue as duplicate of #1788
#3 - c4-judge
2023-12-08T17:57:40Z
alex-ppg marked the issue as satisfactory
#4 - c4-judge
2023-12-09T00:20:29Z
alex-ppg changed the severity to 3 (High Risk)