NextGen - spark's results

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L112

Vulnerability details

Impact

The refund process can be blocked by the auction winner.

Proof of Concept

The ERC721.safeTransferFrom requires the callback process with IERC721Receiver-onERC721Received when the receiver is a contract.

When claiming an auction, the refund will be processed at the same time.

        for (uint256 i=0; i< auctionInfoData[_tokenid].length; i ++) {
            if (auctionInfoData[_tokenid][i].bidder == highestBidder && auctionInfoData[_tokenid][i].bid == highestBid && auctionInfoData[_tokenid][i].status == true) {
                IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid); // @audit try revert in highestBidder contract.
                (bool success, ) = payable(owner()).call{value: highestBid}("");
                emit ClaimAuction(owner(), _tokenid, success, highestBid);
            } else if (auctionInfoData[_tokenid][i].status == true) {
                (bool success, ) = payable(auctionInfoData[_tokenid][i].bidder).call{value: auctionInfoData[_tokenid][i].bid}("");
                emit Refund(auctionInfoData[_tokenid][i].bidder, _tokenid, success, highestBid);
            } else {}
        }

As a result, the attacker can implement the receiver contract with following function to block the refund.

    bool flag = true;
    function onERC721Received(address, address, uint256, bytes memory) public returns (bytes4) {
        require(!flag, "block");
        return this.onERC721Received.selector;
    }

Tools Used

Manual

Recommended Mitigation Steps

Let the user invoke the refund or NFT claim instead of through the loop.

Assessed type

DoS