Starknet Auction
First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Highest Bidder Can Withdraw Their Bid

adamszymanski

Summary

The withdraw function allows the highest bidder to withdraw their bid, enabling them to obtain the NFT without payment.

Vulnerability Details

There is no check in the withdraw function to prevent the highest bidder from withdrawing their bid amount after winning the auction.

Code Reference:

// In withdraw function
let caller = get_caller_address();
let amount = self.bid_values.entry(caller).read();
// No check to prevent highest bidder from withdrawing

Impact

  • Financial Loss to Owner: The highest bidder can withdraw their funds after receiving the NFT.

  • Integrity Compromise: Undermines the fairness of the auction.

Recommendations

  • Restrict Highest Bidder Withdrawal: Add a check:

// In withdraw function
assert(caller != self.highest_bidder.read(), 'Highest bidder cannot withdraw their bid');
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The `highest_bidder` can withdraw the value of all bids

The `withdraw` function allows the participants to receive back the value of all their unsuccessful bids. The problem is that the winner of the auction will receive all bids including the `highest_bid` that should be paid to the NFT owner.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.