Adversary can cause permanent DOS in claimAuction() and total loss of funds. #805
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-734
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/ff8cfc5529ee4a567e1ce1533b4651d6626d1def/smart-contracts/AuctionDemo.sol#L116
Vulnerability details
Impact
The
AuctionDemo.claimAuction()
function is vulnerable to a Denial of Service (DOS) attack, as an adversary can exploit the operation within the function to cause disruption.The vulnerability arises from the loop iterating through the entire array of auction participants to refund users who lost the bid to the highest bidder. The attack becomes feasible when an adversary deploys a contract to interact with the Auction Demo contract, participating multiple times in the auction with negligible amounts. As long as the bid amount increases, it satisfies the requirements, enabling the adversary to flood the auction process.
The likelihood of this attack is high since there is no minimum bid set at the beginning of the auction, so no much liquidity is required by the attacker.
Impact: claiming auction will be impossible, refund will be impossible and there is also no way for the protocol admin to recover funds because the contract lacks a method for emergency withdrawal of Ether.
Proof of Concept
AuctionDemo.claimAuction()
iterate throughauctionInfoData[_tokenid]
to refund participants here.The attacker can exploit a contract's fallback function, triggered when the contract receives Ether, to execute a logic that consumes the entire gas of a transaction. This intentional gas exhaustion results in an out-of-gas error, causing a Denial of Service (DOS) attack.
Check the attacker's contract.
Paste the coded PoC in
nexGen.test.js
Logs:
Tools Used
Manual review and Hardhat.
Recommended Mitigation Steps
Implement a
refund()
method and allow users who lost bid to claim their funds individually.Assessed type
DoS
The text was updated successfully, but these errors were encountered: