Any bidder could cause DOS in auctionDemo#claimAuction #1584
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
auctionDemo#claimAuction
is called by the auction winner or admin when the auction is ended. This function sents NFT token to the winner's address, the winning bid to the previous owner of NFT and refunds all bidders that do not win an auction:At line 116 contract makes a call to the bidder's address with a refund of ether value. The result of this call is not required to be successful, so this looks safe at first sight since if the bidder contract simply reverts this - loop will continue its execution. However, the bidder contract could spend 63/64 gas of the current transaction. This would lead to a revert in the next calls inside the refunding loop.
Increasing the TX gas limit up to the max gas limit (block gas limit) would not prevent an exploit since an attacker could place few bids causing spending more than 63/64 of TX gas.
Impact
Any bidder could cause permanent DOS on the
auctionDemo#claimAuction
function blocking all bids and NFT token inside the auction contract. An attacker could turn off DOS, releasing hostage assets at any time, and require redemption for this.Proof of Concept
Next foundry test could show an exploit scenario:
This test requires a
Base.t.sol
file: https://gist.github.com/sashik-eth/accf61913418dddc86d94ff5ae6fe9bdAlso
foundry.toml
file should include the next line:gas_limit = 30000000
Recommended Mitigation Steps
Consider updating the refund flow in a way that each bidder calls withdraws for their bids instead of forcing sending all bids in the
auctionDemo#claimAuction
function.Assessed type
ETH-Transfer
The text was updated successfully, but these errors were encountered: