Submission Details
Severity:
Auctions may be won and rigged by contracts that can't receive eth
Summary
Auctions rely on system that sends eth back to the last bidder when outbidded or when the owner repays loan. If the bidder can't receive eth, the bidding can't proceed further.
Vulnerability Details
Let's looking at the place bid logic:
function placeBid(uint256 tokenId) external payable {
TokenData storage data = tokenData[tokenId];
if (block.timestamp >= data.auctionEndTime) revert AuctionHasEnded();
uint256 minBidAmount = data.highestBid + (data.highestBid * minBidIncreasePercentage / 100);
if (msg.value <= minBidAmount) revert BidTooLow(minBidAmount);
if (data.highestBidder != address(0)) {
payable(data.highestBidder).transfer(data.highestBid); //@note This can revert easiest trick in the game
}//place address that cannot receive eth and booom
data.highestBid = msg.value;
data.highestBidder = msg.sender;
emit BidPlaced(tokenId, msg.sender, msg.value);
}
We may can understand a scenario where if the highestBidder can't receive eth, so that further placed bids will revert.
Impact
The impact is high, as the bidder can't be outbidded, and the borrower can't repay the loan either. This is an easy way to fetch nft way below their market price.
Tools Used
AGI
Recommendations
use a push pull mechanism, or erc20 that won't revert.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.