-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auction manipulation and DoS by canceling high bids #924
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
c4-submissions
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Nov 10, 2023
code4rena-admin
changed the title
Auction manipulation and DoS by canceling High bids
Nov 11, 2023
cancelAllBids()
allows the higest bidder to cancel his bid and DoS an auction
code4rena-admin
changed the title
Auction manipulation and DoS by canceling High bids
Auction manipulation and DoS by canceling high bids
Nov 13, 2023
141345 marked the issue as duplicate of #962 |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #1784 |
alex-ppg marked the issue as duplicate of #1323 |
alex-ppg marked the issue as partial-50 |
c4-judge
added
the
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
label
Dec 8, 2023
alex-ppg marked the issue as satisfactory |
c4-judge
added
satisfactory
satisfies C4 submission criteria; eligible for awards
and removed
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
labels
Dec 8, 2023
alex-ppg marked the issue as partial-50 |
c4-judge
added
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
and removed
satisfactory
satisfies C4 submission criteria; eligible for awards
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Dec 8, 2023
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Dec 9, 2023
alex-ppg changed the severity to 3 (High Risk) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134-L143
Vulnerability details
Impact
Any auction could be manipulated and disrupted by placing a very low initial bid. Subsequently, the attacker places a really high bid and/or consistently front-run bids, dissuading other bidders from participating. Just before the auction concludes, all but the first attacker's bids are canceled and refunded, enabling the attacker to win the auction with the initially low bid, incurring minimal costs, primarily limited to gas expenses.
The current implementation of
cancelAllBids()
andcancelBid()
allows for the cancellation of any bid, even if it happens to be the winning bid:Proof of Concept
Modify your fixtures
hardhat/scripts/fixturesDeployment.js
to add a 4th addr:Use this modified nextGen.test.js that:
Tools Used
vs code, hardhat
Recommended Mitigation Steps
Modify the
cancelAllBids()
andcancelBid()
to check that the highest bid is not canceled:Additionally, I would like to suggest incorporating a
minBidIncreasePercentage
check to ensure that a new bid is a certain percentage larger than the last high bid. This measure is intended to discourage sniping by 1 wei or front-runners.Assessed type
DoS
The text was updated successfully, but these errors were encountered: