Overwriting of previous bids leads to loss of tokens on multiple bids
Summary
A vulnerability in the StarkNet auction contract allows participants to lose their previous bids if they bid multiple times. When a participant submits a new bid, the previous bid is overwritten in the bid_values storage, resulting in the loss of the initial tokens. This issue may cause significant losses for participants who bid multiple times without withdrawing their previous bids first.
Vulnerability Details
In the current implementation of the bid function, when a participant places a new bid, the new bid overwrites the previous one in the bid_values map. The new bid replaces the old one entirely, and the previous amount is effectively "lost" in the contract until the end of the auction. This means participants who bid more than once without withdrawing their previous bids can lose the value of their initial ERC20 token bids.
Sequence of Events Leading to the Issue:
Participant A bids 200 ERC20 tokens.
Participant B bids 300 ERC20 tokens, making Participant B the highest bidder.
Participant A bids again with 400 ERC20 tokens.
Participant A's previous bid of 200 ERC20 tokens is overwritten and is no longer accessible for withdraw.
Impact
Loss of ERC20 tokens for participants: Participants who bid multiple times without withdrawing their previous bids will lose their earlier bids. This can lead to significant financial loss, especially in competitive auctions where participants bid repeatedly.
Potential trust issues: This issue can lead to dissatisfaction among participants, as they may lose their ERC20 tokens without clear warning or understanding.
Auction inefficiency: This vulnerability creates inefficiencies in the auction process, where participants may be discouraged from bidding multiple times due to the risk of losing their previous bids.
Tools Used
Manual code review.
Recommendations
o resolve this issue, the contract should accumulate the participant's new bid with their previous bid instead of overwriting it. This way, the participant's total bid amount is tracked correctly, and no ERC20 tokens are lost.
Recommended Fix:
Instead of overwriting the previous bid, the new bid should be added to the participant's existing bid in bid_values:
Explanation:
Read the current bid: The current bid for the participant is read from the
bid_valuesmap.Add the new bid: The new bid is added to the previous bid, ensuring that the total amount of ERC20 tokens is accumulated.
Save the total bid: The combined amount is saved back into
bid_values, so the participant’s total ERC20 bid amount is tracked.
Lead Judging Commences
Wrong bid amount in `bid` function
In the `bid` function the bid values are stored using `self.bid_values.entry(sender).write(amount)` directly, but this overwrites any previous bids made by the same bidder. Therefore if a participant makes 2 or more bids, the participant can then withdraw only the last value of the last bid. That is incorrect, the protocol should save all bids and a participant should withdraw the value of the all unsuccessful bids.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.