search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

Seller has no commitment and could use the system to create griefing attacks #122

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L409 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L99

Vulnerability details

Impact

Creating an auction and cancelling it later in time is free - aside gas costs. It is therefore super easy to use the system to grief bidders, and it is may lead to irresponsible behaviors on the seller side.

Proof of Concept

Currently there is no penalty for creating an auction and cancelling it later in time. Although it's totally understandable to give the possibility to sellers to change their mind, it shouldn't be free:

Therefore it should at least cost something to the seller to cancel its auction, especially to ensure no one uses the system to create griefing attacks.

Recommended Mitigation Steps

Add a small cancelation fee to make the system more fair and mitigate the griefing attack possibility.

c4-judge commented 2 years ago

0xean marked the issue as duplicate

c4-judge commented 1 year ago

0xean marked the issue as satisfactory

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-11-size-findings/issues/119