Closed code423n4 closed 2 years ago
trust1995
commented
2 years ago I don't believe this is a condition the contract needs to defend against, as it is indistinguishable from actual users wishing to send small trades. The minimum quote amount variable is the satisfactory amount seller is happy to give away in a single trade.
c4-judge
commented
2 years ago 0xean marked the issue as duplicate
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
c4-judge
commented
1 year ago 0xean changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L122 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L157
Vulnerability details
Vulnerability details
Description
The number of bids for one auction is limited to 1000. It means that someone may make all 1000 bids and thus invalidate all other bids. Therefore, a malicious user can win the auction with the minimum possible bid.
It may seem that the auction creator can protect against this attack by canceling the auction. However, if the auction is in demand, then it is impossible to distinguish the attack from the legit user behavior. Please note, that the attacker may use many accounts and simulate the behavior of a real user. Although the cost of the attack is high, in the case of an expensive auction, it can be justified.
Impact
A malicious user may win the auction with low bid filled all bid slots.
PoC
Recommended Mitigation Steps
It is possible to split the
finalizefunction into parts so that more than 1000 slots can be processed. For example, allow finalization to be done in several stages, each of which process a maximum of 1000 slots.