Starknet Auction

First Flight #26

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Critical Vulnerability in Withdraw Function Allows Unlimited Token Drain

bhorprakash

Summary

A critical vulnerability has been identified in the withdraw() function of the auction contract, allowing users to exploit the system by withdrawing the same amount repeatedly, leading to a complete draining of the protocol's ERC20 token balance. The root cause lies in the failure to update the user's balance after withdrawal, enabling them to call the function multiple times and receive the same amount indefinitely.

Vulnerability Description

The withdraw() function does not properly update the user's bid balance after they withdraw their tokens. Specifically, the balance is not reset to zero after a withdrawal is executed, allowing the user to call the function repeatedly and withdraw the same amount multiple times.

let amount = self.bid_values.entry(caller).read(); // No balance update after withdrawal

if amount > 0 { erc20_dispatcher.transfer_from(sender, caller, amount.into()); }

Here, the user's bid balance (amount) is read, and the transfer is processed, but there is no code that resets the user's balance to zero after the withdrawal, creating a loophole for repeated withdrawals.

Steps to Reproduce:

Place a bid in the auction.
- Example: User A places a bid of 200 tokens.
Call the withdraw() function after the auction ends.
- User A receives their 200 tokens back as expected.
Call the withdraw() function again.
- The same 200 tokens are transferred again without any restrictions, as the user's balance was never updated to zero.
Repeat Step 3 to drain the entire balance of the contract.

Impact

Unlimited Token Withdrawal:
- Any user who has previously bid can exploit this vulnerability to repeatedly withdraw their bid amount, draining the protocol's funds.
Complete Depletion of Contract's ERC20 Balance:
- Since user balances are not updated after withdrawal, malicious actors can keep withdrawing tokens, leading to a loss of all funds stored in the contract.
Protocol Collapse:
- If exploited, the contract will lose all liquidity, rendering the auction system dysfunctional and undermining user trust.

Recommendation

To fix this issue, the user's balance should be updated to zero immediately after they withdraw their tokens. This prevents repeated withdrawals and ensures the balance is correctly tracked.

if amount > 0 {

erc20_dispatcher.transfer_from(sender, caller, amount.into()); // Correctly reset the user's balance to zero after withdrawal

self.bid_values.entry(caller).write(0); }

By adding self.bid_values.entry(caller).write(0);, the user's balance is reset to zero after a successful withdrawal, eliminating the potential for further withdrawals of the same amount.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Reentrancy in `withdraw` function

The `withdraw` function doesn't reset the `bid_values` to 0 after the withdraw. That means the bidder can call multiple time the `withdraw` function and receive the whole balance of the protocol.

Rewards breakdown

nSLOC

132

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.