Starknet Auction

First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Severity: high
Valid

[EVMN] Overwritten Bidders' Past Bids

Summary

A bidder's past bids are overwritten with the new ones, preventing them from withdrawing assets of unsuccessful bids.

Vulnerability Details

The code on line 108 does not account the past bids of a bidder. For example, if a bidder submitted a bid of 1 Ether, then submits another bid of 2 Ether, the contract only stores the 2 Ether and overwrites the previous 1 Ether bid. If the bidder loses the auction, they can only withdraw 2 Ether and therefore loses 1 Ether.

Impact

The bidder loses assets from the unsuccessful bids.

Tools Used

Manual review.

Recommendations

Consider accumulating the bidder's past bids.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong bid amount in `bid` function

In the `bid` function the bid values are stored using `self.bid_values.entry(sender).write(amount)` directly, but this overwrites any previous bids made by the same bidder. Therefore if a participant makes 2 or more bids, the participant can then withdraw only the last value of the last bid. That is incorrect, the protocol should save all bids and a participant should withdraw the value of the all unsuccessful bids.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.