search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

PLACEBID() IN SHORTFALL.SOL MAY LEAD TO DENIAL OF SERVICE AND FRONT RUNNING ATTACKS #513

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L158-L202

Vulnerability details

Impact

The Shortfall.placeBid() function in the Venus protocol exhibits potential vulnerabilities that may lead to denial-of-service (DoS) and front-running attacks. A malicious actor could exploit these vulnerabilities to disrupt the auction process, manipulate auction results, prevent legitimate users from placing bids, and even front-run existing bids.

Proof of Concept

Denial-of-Service Attack:

The placeBid() function lacks protections against a malicious actor placing an excessive number of minimal bids. By flooding the auction with 'spam' bids, an attacker could effectively clog the auction, preventing other users from placing their bids.

Front-Running Attack

In the context of this smart contract, if the auction type is AuctionType.LARGE_POOL_DEBT or AuctionType.LARGE_RISK_FUND, a malicious actor can watch the mempool for new bids, quickly place their own bid with the same bidBps and a higher gas price. This increases the likelihood that validators will include their transaction in the block before the original bid, effectively "front-running" the original bidder.

If the auction type is AuctionType.LARGE_POOL_DEBT, the attacker's bid with the same bidBps as the original bidder would cause the condition bidBps > auction.highestBidBps to be false when the original transaction is processed, causing it to revert.

Similarly, if the auction type is AuctionType.LARGE_RISK_FUND, the attacker's bid with the same bidBps would make the condition bidBps < auction.highestBidBps false when the original transaction is processed, again causing it to revert.

These vulnerabilities could be particularly problematic in scenarios where an auction has a limited duration, as legitimate users might not be able to place their bids before the auction ends.

Recommended Mitigation Steps

To mitigate these potential attacks, consider implementing the following changes:

  1. Introduce a minimum bid amount and rate limiting to prevent an attacker from spamming the auction with minimal bids. This would deter potential attackers by limiting their ability to flood the auction with bids.

  2. Prevent a user from outbidding their own highest bid by maintaining a mapping of addresses to their highest bids and checking this before accepting a new bid.

By implementing these measures, the Venus protocol can protect its auctions from potential DoS and front-running attacks, ensuring a fair and efficient bidding process for its users.

Assessed type

DoS

c4-judge commented 1 year ago

0xean marked the issue as primary issue

c4-sponsor commented 1 year ago

chechu marked the issue as sponsor disputed

chechu commented 1 year ago

DoS: A user would need to improve their bid continuously to create a DoS attack which is ultimately benefiting the protocol. We will end up getting the best bid regardless if it was a bot or real user. Front Running Attack: A front running attack doesn’t prevent a bidder from placing another bid and thus improving their bid. Even if we prevent front running a user can still watch the contract and place better bid with a very small margin to became the best bidder.

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Invalid