Submission Details
Severity:
`transfer` function used instead of the `transfer_from` one
Summary
transfer function is used to transfer amount of bids to the contract, instead of the transfer_from function.
Vulnerability Details
The contract should receive the amount from the sender/callerand not from itself.
https://github.com/Cyfrin/2024-10-starknet-auction/blob/main/src/starknet_auction.cairo#L113
fn bid(ref self: ContractState, amount: u64) {
let time = get_block_timestamp();
let erc20_dispatcher = IERC20Dispatcher { contract_address: self.erc20_token.read() };
let sender = get_caller_address();
let receiver = get_contract_address();
let current_bid = self.highest_bid.read();
assert(self.started.read(), 'Auction is not started');
assert(time < self.bidding_end.read(), 'Auction ended');
assert(amount > current_bid, 'The bid is not sufficient');
self.bid_values.entry(sender).write(amount);
self.emit(NewHighestBid {amount: self.highest_bid.read(), sender: sender});
self.highest_bidder.write(sender);
self.highest_bid.write(amount);
@> erc20_dispatcher.transfer(receiver, amount.into());
}
Impact
The contract will not get the additional amount of ERC20 tokens expected from the caller.
Tools Used
Manual review
Recommendations
Call transfer_from function instead of the transfer one.
Rewards breakdown
nSLOC
132This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.