search

code-423n4 / 2023-05-particle-findings

0 stars 0 forks source link

DoS of `auctionBuyNft()` #41

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-particle/blob/1caf678bc20c24c96fc8f6b0046383ff0e9d2a6f/contracts/protocol/ParticleExchange.sol#L524-L538

Vulnerability details

Impact

An auction can be forced to conclude, which is typically to the benefit of the lender.

Proof of Concept

auctionBuyNft(lien, lienId, tokenId, amount) validates the lien in question by [validateLien(lien, lienId)]() which checks that the lien is hashed to the same digest as is stored at liens[lienId]. The issue is that the attacker (such as the lender holding the auction) can frontrun auctionBuyNft() with a call to addCredit() (spending only 1 wei) which updates the lien and its stored digest. This causes the auctionBuyNft() to revert in its validateLien(). Frontrunning every attempt to have the contract buy the NFT the lender can thus force the auction to conclude. He can then liquidate the borrower for his desired price. He can initiate this attack as soon as the NFT is borrowed, because typically the desired price would be higher than the borrower expects to sell it for on the market. This implies an quick (24 hours) gain for the lender at the cost of the unsuspecting borrower.

Recommended Mitigation Steps

A solution might be to require that addCredit() makes the borrower solvent as per the current auction price.

Assessed type

DoS

c4-judge commented 1 year ago

hansfriese marked the issue as duplicate of #31

c4-judge commented 1 year ago

hansfriese marked the issue as not a duplicate

c4-judge commented 1 year ago

hansfriese marked the issue as satisfactory

c4-judge commented 1 year ago

hansfriese marked the issue as duplicate of #8

c4-judge commented 1 year ago

hansfriese marked the issue as duplicate of #16

wukong-particle commented 1 year ago

Duplication of #8 and #16 is correct, not a duplicate to #31 though.

c4-sponsor commented 1 year ago

wukong-particle marked the issue as sponsor acknowledged

c4-sponsor commented 1 year ago

wukong-particle marked the issue as sponsor confirmed

c4-judge commented 1 year ago

hansfriese changed the severity to 2 (Med Risk)

wukong-particle commented 1 year ago

Mitigated with https://github.com/Particle-Platforms/particle-exchange-protocol/pull/14