Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 220/243
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
AuctionDemo::claimAuction() allows the claiming the token with highest bid. The Winner or admin both can call the function once the auction ends or the block.timestamp >= to auction end time. The issue is claim and cancel function can be call at exactly at the same timestamp, which is auctionEndTime.
A malicious bidder can bid as highest to be winner, and then perform claim call followed by bidder(as malicious contract) fallback trigger followed by cancelBid() on the auction contract, all at the same timestamp the auction end.
And because the we are not checking success value for other bidders fund transfer, it allows the attacker to steal their funds without reverting.
participateToAuction call, with highest possible amount(not greater than other bidder combine bid amount).block.timestamp == minter.getAuctionEndTime(_tokenid) reached, alice as malicious bidder perform call to claimAuction() -> malicious bidder contract -> cancelBid().Alice manage to claim the highest amount she bid, also stealing others bid amount.
Manual review
Use reentrancy guard to avoid reentrancy, cancelBid() and participateToAuction() should only be called for the timestamp < minter.getAuctionEndTime(_tokenId).
Reentrancy
#0 - c4-pre-sort
2023-11-15T00:55:22Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-04T21:42:40Z
alex-ppg marked the issue as duplicate of #1323
#2 - c4-judge
2023-12-08T17:33:09Z
alex-ppg marked the issue as partial-50
#3 - c4-judge
2023-12-08T17:34:10Z
alex-ppg marked the issue as full credit
#4 - c4-judge
2023-12-08T17:39:39Z
alex-ppg marked the issue as partial-50