Back to nmirchev8's contests

NextGen - nmirchev8's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 157/243

Findings: 1

Award: $1.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

🌟 Selected for report: The_Kakers

Also found by: 00xSEV, 0xAsen, 0xDetermination, 0xJuda, 0xWaitress, 0xhunter, 0xlemon, 0xpiken, Al-Qa-qa, Arabadzhiev, CSL, CaeraDenoir, DarkTower, DeFiHackLabs, Greed, Haipls, MaNcHaSsS, NentoR, NoamYakov, PENGUN, Ruhum, Soul22, SovaSlava, Talfao, Toshii, TuringConsulting, VAD37, Vagner, Valix, Viktor_Cortess, ZdravkoHr, audityourcontracts, btk, codynhat, flacko, funkornaut, glcanvas, gumgumzum, immeas, innertia, ke1caM, lanrebayode77, lsaudit, mrudenko, niki, nmirchev8, openwide, oualidpro, r0ck3tz, rvierdiiev, trachev, yojeff

Awards

1.3844 USDC - $1.38

Labels

bug
3 (High Risk)
partial-50
duplicate-734

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/AuctionDemo.sol#L116

Vulnerability details

Summary

In AuctionDemo, the function responsible for refunding participants who lose in the auction is entangled with the operation that transfers the NFT to the winner. This creates a dependency, and if one operation fails, it can adversely affect the other.

Impact

The current implementation exposes a vulnerability to gas griefing attacks. Specifically, the following lines in the code:

       } else if (auctionInfoData[_tokenid][i].status == true) {
                (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
                emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid);

In certain scenarios, a malicious participant could exploit this design by being the first bidder with a small amount and causing subsequent, larger deposits to be non-refundable. This situation can lead to significant fund loss, and even the admin won't be able to refund participants due to the coupling of operations in this single function.

Proof of Concept

The attacker should only implement a contract with a fallback function, has a infinite for loop, which will drain the gas.

  1. Alice start auction for her NFT.
  2. Eve make first bid with small amount (0.01 ETH)
  3. After that more users overbid and the winners bid is 1 ETH
  4. All their funds are stuck and NFT is unclaimable for the winner, because claimAuction will always revert due to the drained gas by Eve's malicious contract fallback function

Tools Used

Manual Review

  • The code should be refactored to decouple the refund logic from the NFT transfer, ensuring that each operation can fail or succeed independently without affecting the other. This separation is crucial to prevent gas griefing and to enhance the security of the auction contract.
  • Other solution is to send just a little bit of gas on call

Assessed type

DoS

#0 - c4-pre-sort

2023-11-18T07:51:55Z

141345 marked the issue as duplicate of #486

#1 - c4-judge

2023-12-01T22:40:39Z

alex-ppg marked the issue as not a duplicate

#2 - c4-judge

2023-12-01T22:40:53Z

alex-ppg marked the issue as duplicate of #1782

#3 - c4-judge

2023-12-08T20:52:52Z

alex-ppg marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter