Back to slvDev's contests

NextGen - slvDev's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 217/243

Findings: 1

Award: $0.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

🌟 Selected for report: smiling_heretic

Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie

Awards

0 USDC - $0.00

Labels

bug
3 (High Risk)
partial-50
duplicate-1323

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L111-L114 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130

Vulnerability details

Impact

Vulnerability allows the highest bidder (the auction winner) to reclaim their bid amount while also receiving the NFT.

Proof of Concept

The vulnerability stems from the timing of checks in the claimAuction and cancelBid functions and reentrancy.

  • The claimAuction function only proceeds if the auction has ended, as verified by require(block.timestamp >= minter.getAuctionEndTime(_tokenid))
  • The cancelBid function can be invoked as long as the auction hasn't ended, checked via require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended")
  • The use of safeTransferFrom to transfer the NFT leads to a reentrancy attack. If the highestBidder is a contract with malicious logic in onERC721Received, it will invoke cancelBid and pass all require statements, and get his ETH back.
  • Transaction won't fail when trying to send ETH to owner in next line, since success of payable(owner()).call{value: highestBid}("") didn't check.

Tools Used

Manual code review

  • Synchronize the timing checks in claimAuction and cancelBid.
  • Review the sequence of operations and state changes in the claimAuction function to prevent reentrancy. eg add auctionInfoData[_tokenid][index].status = false; before safeTransferFrom

Assessed type

Reentrancy

#0 - c4-pre-sort

2023-11-15T00:45:46Z

141345 marked the issue as duplicate of #962

#1 - c4-judge

2023-12-04T21:43:00Z

alex-ppg marked the issue as duplicate of #1323

#2 - c4-judge

2023-12-08T17:32:27Z

alex-ppg marked the issue as partial-50

#3 - c4-judge

2023-12-08T17:33:39Z

alex-ppg marked the issue as full credit

#4 - c4-judge

2023-12-08T17:34:34Z

alex-ppg marked the issue as partial-50

Findings Information

🌟 Selected for report: smiling_heretic

Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie

Awards

0 USDC - $0.00

Labels

bug
3 (High Risk)
partial-50
duplicate-1323

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L116-L130

Vulnerability details

Impact

This vulnerability enables a bidder to recover their bid amount twice during the execution of the claimAuction function.

Proof of Concept

A race condition between the claimAuction and cancelBid functions allows a non-winning bidder to claim their bid twice:

  • In claimAuction, the function proceeds if the auction has ended, as checked by require(block.timestamp >= minter.getAuctionEndTime(_tokenid)).
  • In cancelBid, the function is accessible as long as the auction hasn't ended, verified by require(block.timestamp <= minter.getAuctionEndTime(_tokenid), "Auction ended");.
  • A bidder's contract, in the line (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}(""), can use its receive() function to re-enter the cancelBid function. This reentrancy can occur within the same block timestamp.
  • The bidder can thus bypass the require checks in cancelBid and reclaim their bid, effectively receiving their bid amount twice.

Tools Used

manual review

Fix timing checks in claimAuction and cancelBid

Assessed type

Reentrancy

#0 - c4-pre-sort

2023-11-14T23:54:01Z

141345 marked the issue as duplicate of #2039

#1 - c4-pre-sort

2023-11-16T23:40:37Z

141345 marked the issue as duplicate of #51

#2 - c4-pre-sort

2023-11-21T09:05:11Z

141345 marked the issue as not a duplicate

#3 - c4-pre-sort

2023-11-21T09:12:01Z

141345 marked the issue as duplicate of #962

#4 - c4-judge

2023-12-04T21:43:03Z

alex-ppg marked the issue as duplicate of #1323

#5 - c4-judge

2023-12-08T17:32:05Z

alex-ppg marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter