Starknet Auction

First Flight #26

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Transfer Success Verification and Potential Denial of Service in end Function

adamszymanski

Summary

The contract does not verify the success of the NFT transfer to the highest bidder in the end function. If the transfer fails, it can lead to funds being locked indefinitely, causing a denial of service for the highest bidder and other participants.

Vulnerability Details

In the end function, after calling erc721_dispatcher.transfer_from, there is no check to ensure that the NFT was successfully transferred to the highest bidder's address. If the transfer fails due to reasons such as lack of approval, incorrect token ID, or other issues, the auction concludes without delivering the NFT to the highest bidder. Additionally, since the contract does not handle transfer failures, the funds remain locked, and the auction cannot be properly finalized.

Code Reference:

// In end function

erc721_dispatcher.transfer_from(sender, self.highest_bidder.read(), self.nft_id.read().into());

// No verification of transfer success

Impact

Highest Bidder Does Not Receive NFT: The highest bidder may not receive the NFT despite paying the highest bid amount.
Funds Locked Indefinitely: Both the highest bidder's payment and the NFT remain locked in the contract, causing financial loss and frustration.
Denial of Service: Other bidders cannot withdraw their bids, and the auction cannot be properly concluded.
Loss of Trust: Participants may lose confidence in the auction platform due to unresolved transactions and lack of proper error handling.

Recommendations

Verify Transfer Success: After the transfer call, confirm that the NFT is now owned by the highest bidder.
Use Safe Transfer Methods: Utilize functions that return a success status or throw an exception on failure, and handle these outcomes appropriately.
Revert on Failure: Ensure that the transaction reverts if the NFT transfer fails, preventing the auction from concluding under invalid conditions.
Implement Error Handling: Introduce proper error handling to manage transfer failures gracefully, possibly allowing for retries or alternative resolutions.
Add Emergency Mechanisms: Provide a function to refund the highest bidder and other participants if the transfer cannot be completed after a certain period.
Emit Failure Events: Emit events to notify participants of the failure, so they are informed and can take appropriate action.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

132

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.