Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 194/243
Findings: 2
Award: $0.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: btk
Also found by: 00xSEV, 0x175, 0x180db, 0x3b, 0xAlix2, 0xJuda, 0xpiken, 0xraion, 3th, 836541, Al-Qa-qa, AvantGard, Aymen0909, Beosin, ChrisTina, DarkTower, DeFiHackLabs, EricWWFCP, Kose, Kow, KupiaSec, MrPotatoMagic, Neo_Granicen, PENGUN, PetarTolev, Ruhum, Soul22, SovaSlava, SpicyMeatball, Talfao, The_Kakers, Toshii, Tricko, VAD37, Viktor_Cortess, ZdravkoHr, _eperezok, alexxander, audityourcontracts, ayden, bird-flu, bronze_pickaxe, codynhat, critical-or-high, danielles0xG, degensec, droptpackets, evmboi32, fibonacci, flacko, gumgumzum, ilchovski, immeas, innertia, jacopod, joesan, ke1caM, kk_krish, mojito_auditor, nuthan2x, phoenixV110, pontifex, r0ck3tz, sces60107, seeques, sl1, smiling_heretic, stackachu, t0x1c, trachev, turvy_fuzz, ubl4nk, ustas, xAriextz, xuwinnie, y4y
0.038 USDC - $0.04
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L197 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L195
Because token minted per address is updated after mint, makes a contract to be able to mint more than max allowed times. The minter still needs to pay the price for each token, hence the medium severity.
The core contract is using safeMint function to make sure receiver has successfully received the token. However, when the receiver is a contract address, a callback of onERC721Received function will be called. In this function, the minter can setup another or multiple mint calls to the minter contract, with prices in msg.value, to mint more tokens than max allowed.
In this poc, I setup with foundry, and the test case would showcase how the limit can be bypassed.
Manual review, foundry.
Add reentrance lock as function modifier, or update the tokens minted before mint.
Reentrancy
#0 - c4-pre-sort
2023-11-16T00:58:22Z
141345 marked the issue as duplicate of #51
#1 - c4-pre-sort
2023-11-26T14:00:03Z
141345 marked the issue as duplicate of #1742
#2 - c4-judge
2023-12-08T16:36:43Z
alex-ppg marked the issue as satisfactory
#3 - c4-judge
2023-12-08T16:36:58Z
alex-ppg marked the issue as partial-25
#4 - c4-judge
2023-12-09T00:18:52Z
alex-ppg changed the severity to 3 (High Risk)
🌟 Selected for report: smiling_heretic
Also found by: 00decree, 00xSEV, 0x180db, 0x3b, 0x656c68616a, 0xAadi, 0xAleko, 0xAsen, 0xDetermination, 0xJuda, 0xMAKEOUTHILL, 0xMango, 0xMosh, 0xSwahili, 0x_6a70, 0xarno, 0xgrbr, 0xpiken, 0xsagetony, 3th, 8olidity, ABA, AerialRaider, Al-Qa-qa, Arabadzhiev, AvantGard, CaeraDenoir, ChrisTina, DanielArmstrong, DarkTower, DeFiHackLabs, Deft_TT, Delvir0, Draiakoo, Eigenvectors, Fulum, Greed, HChang26, Haipls, Hama, Inference, Jiamin, JohnnyTime, Jorgect, Juntao, Kaysoft, Kose, Kow, Krace, MaNcHaSsS, Madalad, MrPotatoMagic, Neon2835, NoamYakov, Norah, Oxsadeeq, PENGUN, REKCAH, Ruhum, Shubham, Silvermist, Soul22, SovaSlava, SpicyMeatball, Talfao, TermoHash, The_Kakers, Toshii, TuringConsulting, Udsen, VAD37, Vagner, Zac, Zach_166, ZdravkoHr, _eperezok, ak1, aldarion, alexfilippov314, alexxander, amaechieth, aslanbek, ast3ros, audityourcontracts, ayden, bdmcbri, bird-flu, blutorque, bronze_pickaxe, btk, c0pp3rscr3w3r, c3phas, cartlex_, cccz, ciphermarco, circlelooper, crunch, cryptothemex, cu5t0mpeo, darksnow, degensec, dethera, devival, dimulski, droptpackets, epistkr, evmboi32, fibonacci, gumgumzum, immeas, innertia, inzinko, jasonxiale, joesan, ke1caM, kimchi, lanrebayode77, lsaudit, mahyar, max10afternoon, merlin, mrudenko, nuthan2x, oakcobalt, openwide, orion, phoenixV110, pontifex, r0ck3tz, rotcivegaf, rvierdiiev, seeques, shenwilly, sl1, slvDev, t0x1c, tallo, tnquanghuy0512, tpiliposian, trachev, twcctop, vangrim, volodya, xAriextz, xeros, xuwinnie, y4y, yobiz, zhaojie
0 USDC - $0.00
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L125 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L135 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104
When admin or auction bidder claims auction when block.timestamp is exactly equal to auction end time, the bidder can get extra ethers. When the bidder happens to be the winner, he/she can get the token for free.
Alice participates in the auction and won the auction. She waited until the block.timestamp is exactly at the auction end timestamp, and calls claimAuction. But right after that, she calls cancelBid. After claimAuction has been executed, bidder's status is not updated, which means, in the next cancelBid call, Alice can get her bidding ethers back, causing her to get the token for free.
Manual review.
Update bidder's status when tokens are claimed and when bids are cancelled.
Context
#0 - c4-pre-sort
2023-11-15T09:18:34Z
141345 marked the issue as duplicate of #962
#1 - c4-judge
2023-12-01T16:01:39Z
alex-ppg marked the issue as not a duplicate
#2 - c4-judge
2023-12-01T16:01:47Z
alex-ppg marked the issue as duplicate of #1788
#3 - c4-judge
2023-12-08T18:19:21Z
alex-ppg marked the issue as partial-25
#4 - c4-judge
2023-12-09T00:20:29Z
alex-ppg changed the severity to 3 (High Risk)