Starknet Auction

First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Severity: high
Invalid

Owner Can Bid on Their Own Auction and Withdraw Funds

Summary

The contract allows the auction owner to bid on their own auction and withdraw funds, enabling artificial inflation of the auction price without financial risk.

Vulnerability Details

  • Owner Bidding: There is no check to prevent the auction owner from placing bids.

  • Artificial Price Inflation: The owner can bid a higher amount to outbid others. Due to flaws in the withdraw function, the owner can later withdraw their bid, effectively manipulating the auction price without cost.

Code Reference:

// In bid function
let sender = get_caller_address();
// Missing check to prevent owner from bidding

Impact

  • Unfair Auction Manipulation: Misleads other bidders and undermines the integrity of the auction.

  • Funds Retrieval: The owner retrieves their bid amount through the flawed withdraw function, nullifying any financial commitment.

Recommendations

  • Prevent Owner from Bidding: Add a check in the bid function:

assert(sender != self.nft_owner.read(), 'Owner cannot bid on their own auction');
  • Fix Withdrawal Logic: Update the withdraw function to prevent the highest bidder (who could be the owner) from withdrawing their bid (see issue Highest Bidder Can Withdraw Their Bid for details).

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.