`NFTLiquidator::placeBid` can be subjected to a DoS attack, leading to the sale of liquidated NFTs for 1 wei
Description:
The NFTLiquidator::placeBid function uses transfer() to return ETH to the previous highest bidder when a new bid is placed:
If the highest bidder is a smart contract that:
Deliberately reverts in fallback
Does not implement fallback/receive functions
The transfer() will fail, causing the entire placeBid() transaction to revert. This creates a Denial of Service (DoS) vulnerability.
Since at the beginning of the auction, the highestBid in the liquidateNFT function is set to 0...
...and the first value of the variablemindBidAmount in placeBid()function is 0...
...an attacker can scan the mempool for calls to liquidateNFT(), use a malicious smart contract to place the first minimum bid of 1 wei, block the execution of the placeBid function for сertain tokenId due to a DoS attack, wait for the auction to end, call the NFTLiquidator::endAuction function (it's not protected by access control) and, since he will be the only participant in the auction, claim the NFT for the minimum price of 1 wei.
This scenario applies to all newly liquidated NFTs.
Impact:
It's a critical vulnerability allows an attacker to acquire any liquidated NFTs for 1 wei by placing a minimum bid through a malicious contract that blocks all subsequent bids, completely breaking the protocol's liquidation mechanism and making bad debt recovery impossible. Affects all auctions where highest bidder is a malicious contract
Recommended Mitigation:
Consider implementing a separate withdrawBid() function where the user can withdraw their bid themselves
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.