-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuctionDemo is susceptible to Gas Griefing Attack #439
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 7, 2023
code4rena-admin
changed the title
Griefer could perma lock bids value in auction
Potential Auction Bid Locking Exploit
Nov 7, 2023
code4rena-admin
changed the title
Potential Auction Bid Locking Exploit
AuctionDemo ClaimAuction is susceptible to Gas Griefing or Dos
Nov 7, 2023
code4rena-admin
changed the title
AuctionDemo ClaimAuction is susceptible to Gas Griefing or Dos
AuctionDemo ClaimAuction is susceptible to Gas Griefing Attack
Nov 9, 2023
code4rena-admin
changed the title
AuctionDemo ClaimAuction is susceptible to Gas Griefing Attack
AuctionDemo is susceptible to Gas Griefing Attack
Nov 11, 2023
141345 marked the issue as duplicate of #843 |
141345 marked the issue as duplicate of #486 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1782 |
alex-ppg marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L104-L120
Vulnerability details
Impact
The current state of the AuctionDemo handles bids and claiming an auction in a way that allows a griefing party to permanently lock all non-canceled bids using a griefing attack by forcing the claiming transaction out of gas. This attack could be as inexpensive as the attacker desires, given the absence of a minimum bid check in the current implementation of the auction.
The
claimAuction()
function iterates through non-canceled bids, refunds bidders, and transfers the auctioned NFT and the winning bid to the owner. However, a malicious contract can disrupt the process when funds are transferred to it.The current
claimAuction()
function:Proof of Concept
The vulnerability arises when a griefing contract gets refunded on a placed bid. This happens because the griefing contract
receive()
intentionally runs out of gas when its being refunded using an infinite loop.To reproduce this, add the next contract and interface at
hardhat/smart-contracts/Griefer.sol
andhardhat/smart-contracts/IAuction.sol
Modify your fixtures
hardhat/scripts/fixturesDeployment.js
to add the griefer contractFinally you can run the test with the next modified nextGen.test.js, which:
Tools Used
vs code, hardhat
Recommended Mitigation Steps
Allowing the retrieval of any non-winning bids at all times and simplifying the
claimAuction()
function to handle only the winning bid.It should be noted that this only resolves the issue in the scope of the griefer attack; the claiming functions in the current state still allow another kind of DoS attack, which has been dealt with in a separate issue.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: