Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 126/243
Findings: 4
Award: $6.91
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: btk
Also found by: 00xSEV, 0x175, 0x180db, 0x3b, 0xAlix2, 0xJuda, 0xpiken, 0xraion, 3th, 836541, Al-Qa-qa, AvantGard, Aymen0909, Beosin, ChrisTina, DarkTower, DeFiHackLabs, EricWWFCP, Kose, Kow, KupiaSec, MrPotatoMagic, Neo_Granicen, PENGUN, PetarTolev, Ruhum, Soul22, SovaSlava, SpicyMeatball, Talfao, The_Kakers, Toshii, Tricko, VAD37, Viktor_Cortess, ZdravkoHr, _eperezok, alexxander, audityourcontracts, ayden, bird-flu, bronze_pickaxe, codynhat, critical-or-high, danielles0xG, degensec, droptpackets, evmboi32, fibonacci, flacko, gumgumzum, ilchovski, immeas, innertia, jacopod, joesan, ke1caM, kk_krish, mojito_auditor, nuthan2x, phoenixV110, pontifex, r0ck3tz, sces60107, seeques, sl1, smiling_heretic, stackachu, t0x1c, trachev, turvy_fuzz, ubl4nk, ustas, xAriextz, xuwinnie, y4y
0.038 USDC - $0.04
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L258 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L193 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L231
The number of mints is set, but the number of mints can be exceeded.
In the gncore.mint function, the number of mints is managed by tokensMintedPerAddress and tokensMintedAllowlistAddress, but _safeMint is invoked before updating them. Therefore, when re-entry is performed, any number of mints can be made.
Manual
Update the state and then call _safeMint. Or make it a normal mint instead of safe.
Reentrancy
#0 - c4-pre-sort
2023-11-19T08:09:53Z
141345 marked the issue as duplicate of #51
#1 - c4-pre-sort
2023-11-26T14:04:10Z
141345 marked the issue as duplicate of #1742
#2 - c4-judge
2023-12-08T16:17:27Z
alex-ppg marked the issue as satisfactory
#3 - c4-judge
2023-12-08T16:17:33Z
alex-ppg marked the issue as partial-25
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L135
After receiving the goods from an auction win or a refund from a loss, additional funds can be stolen from the contract.
Looking at the conditional statements for cancelBid(and cancelAllBids) and claimAuction, when block.timestamp == minter.getAuctionEndTime(_tokenid), both conditions are passed.
In other words, it would be possible to launch cancelBid(and cancelAllBids) after claimAuction.
Both the winner and the loser get an additional refund of the amount they bid, so the hacker can make a lot of money!
Manual
Set claimAuction condition as block.timestamp > minter.getAuctionEndTime(_tokenid)
Timing
#0 - c4-pre-sort
2023-11-14T10:31:28Z
141345 marked the issue as duplicate of #1904
#1 - c4-pre-sort
2023-11-14T23:31:45Z
141345 marked the issue as duplicate of #962
#2 - c4-judge
2023-12-01T14:54:56Z
alex-ppg marked the issue as not a duplicate
#3 - c4-judge
2023-12-01T14:55:04Z
alex-ppg marked the issue as duplicate of #1788
#4 - c4-judge
2023-12-08T17:50:49Z
alex-ppg marked the issue as partial-50
🌟 Selected for report: The_Kakers
Also found by: 00xSEV, 0xAsen, 0xDetermination, 0xJuda, 0xWaitress, 0xhunter, 0xlemon, 0xpiken, Al-Qa-qa, Arabadzhiev, CSL, CaeraDenoir, DarkTower, DeFiHackLabs, Greed, Haipls, MaNcHaSsS, NentoR, NoamYakov, PENGUN, Ruhum, Soul22, SovaSlava, Talfao, Toshii, TuringConsulting, VAD37, Vagner, Valix, Viktor_Cortess, ZdravkoHr, audityourcontracts, btk, codynhat, flacko, funkornaut, glcanvas, gumgumzum, immeas, innertia, ke1caM, lanrebayode77, lsaudit, mrudenko, niki, nmirchev8, openwide, oualidpro, r0ck3tz, rvierdiiev, trachev, yojeff
1.3844 USDC - $1.38
Auction participants funds are locked into the contract.
claimAuction will provide refunds to auction losers with the following code.
(bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
At this time, if the bidder contains code that consumes a lot of gas, for example, this function will always be reverted, and the participant's funds will be locked into the contract
Manual
Consider pull-type refunds, such as processing refunds yourself after the auction is over.
DoS
#0 - c4-pre-sort
2023-11-19T08:06:03Z
141345 marked the issue as duplicate of #486
#1 - c4-pre-sort
2023-11-19T08:06:42Z
141345 marked the issue as duplicate of #486
#2 - c4-judge
2023-12-01T22:15:46Z
alex-ppg marked the issue as not a duplicate
#3 - c4-judge
2023-12-01T22:16:05Z
alex-ppg marked the issue as duplicate of #1782
#4 - c4-judge
2023-12-08T20:47:25Z
alex-ppg marked the issue as partial-50
🌟 Selected for report: HChang26
Also found by: 0x3b, 0xMAKEOUTHILL, 0xSwahili, 0xarno, ABA, DeFiHackLabs, Eigenvectors, Haipls, Kow, MrPotatoMagic, Neon2835, Nyx, Zac, alexfilippov314, ayden, c3phas, immeas, innertia, lsaudit, merlin, mojito_auditor, oakcobalt, ohm, oualidpro, peanuts, phoenixV110, sces60107, t0x1c, tnquanghuy0512, ubl4nk, volodya, xAriextz
5.4864 USDC - $5.49
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L58 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L105
Funds tendered by the user are locked into the contract and cannot be retrieved.
Looking at the conditional statements for participateToAuction and claimAuction, when block.timestamp == minter.getAuctionEndTime(_tokenid), both conditions are passed.
In other words, it would be possible to launch participateToAuction after claimAuction. claimAuction can only be launched once, so the money bid after it is over cannot be retrieved and will be wasted.
Manual
Set claimAuction condition as block.timestamp > minter.getAuctionEndTime(_tokenid)
Timing
#0 - c4-pre-sort
2023-11-14T10:33:24Z
141345 marked the issue as duplicate of #1935
#1 - c4-pre-sort
2023-11-14T14:21:36Z
141345 marked the issue as duplicate of #962
#2 - c4-judge
2023-12-02T15:33:02Z
alex-ppg marked the issue as not a duplicate
#3 - c4-judge
2023-12-02T15:34:51Z
alex-ppg marked the issue as duplicate of #1926
#4 - c4-judge
2023-12-08T18:49:21Z
alex-ppg marked the issue as partial-50