Closed code423n4 closed 2 years ago
Thanks for reporting this issue. We plan to fix in on our next upgrade of the NounsAuctionHouse.
According to our analysis this is capped by gas usage you reported due to only 30K gas passed in the call.
I believe this contract was out of scope for this contest. If this will not be compensation through the contest, please reach out to us on discord for compensation
out of scope
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/NounsAuctionHouse.sol#L257
Vulnerability details
Impact
There is internal function
_safeTransferETH
that is called increateBid
.The function itself:
Please note that
is the same as
So, basically, the fact that the bytes memory are missed does not mean that there are no of it. In other words, the data that was returned by call will be copied into the memory of the contract execution. That means the contract can consume as much gas as this copying will cost (with the allocation of new memory).
Memory allocation has O(n^2) gas cost. That's mean that more data you already allocate that more expensive allocation will be, and the cost growing strongly.
That's being said
_safeTransferETH
increateBid
, specifically it is used to return the bet to the previous bidder. So, the malicious bidder can create a contract that will return a lot of data on fallback function. It would lead to high gas consumption on latter call tocreateBid
.Proof of Concept
Recommended Mitigation Steps
Use low-level inline assembly call.