NextGen - rvierdiiev's results

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L57-L61

Vulnerability details

Proof of Concept

In order if you want to participate in auction, then you should pay the highest bid at the moment. Also, you can cancel your bid in case if auction hasn't finished yet.

This 2 things make it possible to easily win auction. Attacker just needs to call participateToAuction with very big amount for that token(for example if token's price on the market is 500$, then attacker can provide 5000$), so anyone else will not find it profitable to make bigger bid(as you should provide bigger bid than highest one to participate). Then, when auction is going to be finished, attacker needs to call cancelBid and participateToAuction with symbolic 1 wei amount.

Impact

Attacker can block others from auction and pay small amount.

Tools Used

VsCode

Recommended Mitigation Steps

First solution is to at least have minimum amount for the auction to be successful. Second solution is to prolong auction in case if new bid was done X minutes(seconds) before the end.

Assessed type

Error

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120

Vulnerability details

Proof of Concept

When auction has started, then anyone can participate. Then in case if his bid is highest it's stored to the array.

When time is over, then winner of auction or admin, should call claimAuction in order to receive token. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120

    function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){
        require(block.timestamp >= minter.getAuctionEndTime(_tokenid) && auctionClaim[_tokenid] == false && minter.getAuctionStatus(_tokenid) == true);
        auctionClaim[_tokenid] = true;
        uint256 highestBid = returnHighestBid(_tokenid);
        address ownerOfToken = IERC721(gencore).ownerOf(_tokenid);
        address highestBidder = returnHighestBidder(_tokenid);
        for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) {
            if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) {
                IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid);
                (bool success, ) = payable(owner()).call{value: highestBid}("");
                emit ClaimAuction(owner(), _tokenid, success, highestBid);
            } else if (auctionInfoData[_tokenid][i].status == true) {
                (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
                emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid);
            } else {}
        }
    }

This is how the function works. This function will loop through the all auctionInfoData[_tokenid] array and will process every bid. In case if it's a bid of the winner, then a token will be sent to him and payment will be sent to protocol(owner). In case if it's not a bid of the winner, then refund will be done in case if it wasn't done yet.

Such approach is really gas consuming. One problem is that anyone can make gas griefing to make tx revert(just use all gas provided with refund payment), which will block this contract. And another problem is that if everyone is honest it's really expensive for both winner and admins to execute such tx.

Impact

Winner pays a lot of funds to execute claiming.

Tools Used

VsCode

Recommended Mitigation Steps

Change pattern, so everyone should claim and withdraw for himself.

Assessed type

Error