When protocol’s bad debt is auctioned off with 10% incentive at the beginning. A user who gives the best bid, wins. The auction ends when at least one account placed a bid, and current block number is bigger than nextBidderBlockLimit:
function closeAuction(address comptroller) external nonReentrant {
Auction storage auction = auctions[comptroller];
require(_isStarted(auction), "no on-going auction");
require(
block.number > auction.highestBidBlock + nextBidderBlockLimit && auction.highestBidder != address(0),
"waiting for next bidder. cannot close auction"
);
nextBidderBlockLimit is set to 10 in the initializer, which means that other users have only 30 seconds to place better bid. Now, this is a serious problem, because stuffing whole block with dummy transactions is very cheap on Binance Smart Chain. According to https://www.cryptoneur.xyz/en/gas-fees-calculator 15M gas - whole block - costs 14$~15$ on BSC. This makes a malicious user occasion to cheaply prohibit other users to overbid them, winning the auction at the least favorable price for the protocol. Because BSC is centralized blockchain, there are no private mempools and bribes directly to the miners (like in FlashBots), hence other users are very limited concerning the prohibitive actions.
Impact
The protocol overpays for bad debt, loosing value
Proof of Concept
Pool gathered 100’000$ bad debt and it’s eligible for auction
A malicious user frontruns others and places first bid with the least possible amount (bad debt + 10% incentive).
The user sends dozens of dummy transactions with increased gas price, only to fill up whole block space for 11 blocks
At the end, the user sends a transaction to close auction, getting the bad debt + 10% incentive.
Tools Used
Manual analysis
Recommended Mitigation Steps
There are at least three options to resolve this issue:
make he bidding window much higher at the beginning, like 1000 blocks
make bidding window very high at the beginning, decreasing it, the more attractive the new bid is
make bidding window dependent on the money at stake, to disincentivize block stuffing
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L158-L202 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L467-L470 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L213
Vulnerability details
Vulnerability Details
When protocol’s bad debt is auctioned off with 10% incentive at the beginning. A user who gives the best bid, wins. The auction ends when at least one account placed a bid, and current block number is bigger than
nextBidderBlockLimit
:nextBidderBlockLimit
is set to 10 in the initializer, which means that other users have only 30 seconds to place better bid. Now, this is a serious problem, because stuffing whole block with dummy transactions is very cheap on Binance Smart Chain. According to https://www.cryptoneur.xyz/en/gas-fees-calculator 15M gas - whole block - costs 14$~15$ on BSC. This makes a malicious user occasion to cheaply prohibit other users to overbid them, winning the auction at the least favorable price for the protocol. Because BSC is centralized blockchain, there are no private mempools and bribes directly to the miners (like in FlashBots), hence other users are very limited concerning the prohibitive actions.Impact
The protocol overpays for bad debt, loosing value
Proof of Concept
Tools Used
Manual analysis
Recommended Mitigation Steps
There are at least three options to resolve this issue:
Assessed type
Other