-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auction DoS and Manipulation #1784
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 13, 2023
c4-submissions
added a commit
that referenced
this issue
Nov 13, 2023
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 1, 2023
alex-ppg marked the issue as primary issue |
This was referenced Dec 2, 2023
Closed
Closed
This was referenced Dec 2, 2023
Closed
Closed
alex-ppg marked issue #1513 as primary and marked this issue as a duplicate of 1513 |
c4-judge
added
duplicate-1513
duplicate-1323
and removed
primary issue
Highest quality submission among a set of duplicates
duplicate-1513
labels
Dec 4, 2023
alex-ppg marked the issue as duplicate of #1323 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Dec 8, 2023
alex-ppg marked the issue as partial-50 |
c4-judge
added
satisfactory
satisfies C4 submission criteria; eligible for awards
and removed
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
labels
Dec 8, 2023
alex-ppg marked the issue as satisfactory |
alex-ppg marked the issue as partial-50 |
c4-judge
added
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
and removed
satisfactory
satisfies C4 submission criteria; eligible for awards
labels
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L58
Vulnerability details
Impact
The
AuctionDemo
contract is susceptible to Denial of Service (DoS) and manipulation through malicious bids, stemming from its approach to accepting and managing bids. Exploiting this weakness, an attacker can not only block other users from placing bids but also secure a winning position in the auction with the minimum bid amount.Proof of Concept
The
participateToAuction
function reverts ifmsg.value
is not greater than the current highest bid. However, bids can be canceled at any point just before the auction's end time using the functionscancelBid
andcancelAllBids
. Given this, the following steps can be executed:cancelBid
function, specifying the index of the highest bid.participateToAuction
with a higher bid in an attempt to outbid the attacker, the attacker incurs no loss. Yet, the NFT is likely to be sold for an unfairly low price.In the best-case scenario, users will be blocked from participating in the auction, making a fair bidding process unattainable. In the worst-case scenario, the attacker can acquire the NFT at an unfairly low price.
It is important to note that this serves as an illustrative example featuring extreme values for clarity. A sophisticated attack might employ refined calculations for subtler and gradual manipulations, achieving a similar outcome with lesser gains and reduced detectability. Regardless, such manipulations would compromise the integrity of the auction, resulting in a loss of value.
Demonstration
Create a new file at
hardhat/test/randomizerRevert.js
and add the following content:Next, since we are using
.only
to only run our test, execute the following command from within thehardhat
directory:$ npx hardhat test
Tools Used
Manual: code editor, Hardhat.
Recommended Mitigation Steps
One potential quick solution might involve temporarily locking the bidded funds until the conclusion of the auction, serving as a deterrent against attackers attempting this exploit.
Alternatively, a more intricate solution could entail restructuring the
auctionInfoData
to utilise a map instead of an array, allowing anymsg.value
for bidding. This approach would need to assign eachmsg.value
to a distinct temporal priority queue to address equal bids. At the conclusion of the auction, the first bidder to have placed the highest bid in their bucket would emerge as the winner, rendering the exploit ineffective. As an added convenience, you can include a boolean parameter, giving users the option to revert the transaction in case there is a higher bid already.Regardless of the chosen solution, viable options exist that will not compromise user experience or impede economic efficiency.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: