Since the bidIncrement is not bounded, a manager can set bidIncrement to type(uint256).max in Auction.sol to create DOS condition in addBit() function because it will always revert with InSufficientBid() in L71. As a result, normal users cannot place bit and manager can use this to win an auction.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L153
Vulnerability details
Impact
Since the
bidIncrement
is not bounded, a manager can setbidIncrement
totype(uint256).max
inAuction.sol
to create DOS condition inaddBit()
function because it will always revert withInSufficientBid()
in L71. As a result, normal users cannot place bit and manager can use this to win an auction.Proof of Concept
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L153
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider limit a reasonable range for manager to set
bidIncrement
.Assessed type
DoS