Starknet Auction

First Flight #26

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

`fn bid` has no check to ensure nft owner can't bid, owner can virtually inflate `highest_bid`

tdey

Summary

Owner can bid via fn bid function, and inflate highest price.

Vulnerability details

fn bid function :

fn bid(ref self: ContractState, amount: u64) {

let time = get_block_timestamp();

let erc20_dispatcher = IERC20Dispatcher { contract_address: self.erc20_token.read() };

let sender = get_caller_address();

let receiver = get_contract_address();

let current_bid = self.highest_bid.read();

assert(self.started.read(), 'Auction is not started');

assert(time < self.bidding_end.read(), 'Auction ended');

assert(amount > current_bid, 'The bid is not sufficient');

self.bid_values.entry(sender).write(amount);

self.emit(NewHighestBid {amount: self.highest_bid.read(), sender: sender});

self.highest_bidder.write(sender);

self.highest_bid.write(amount);

erc20_dispatcher.transfer(receiver, amount.into());

//@audit no check present to ensure that caller of this function is not the owner

//the owner can bid and inflate the prices later when the auction ends he can withdraw the bid amount

}

link to code

The bid function has no check to ensure that the nft owner can't call this function.

POC:
Let us assume a scenario:
Initial price of nft_1=100USDC
Alice bids=>110 USDC
Leroy bids=> 120 USDC
Nft owner calls bid and bids =>200USDC
-> after this point, the highest bid amount will become 200 USDC. This bid will hike the prices for the next bidders, because there is no check present in the function which prevents the owner to bid.

Impact

NFT owner can hike prices by bidding on their own nft.

Tools used

Manual review

Recommended mitigation

Implement checks to ensure nft_owner can't call fn bid.

Updates

Lead Judging Commences

bube Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

132

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.