Closed c4-submissions closed 10 months ago
141345 marked the issue as duplicate of #1952
alex-ppg marked the issue as duplicate of #2038
alex-ppg marked the issue as unsatisfactory: Out of scope
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L69 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L136 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L110 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L90
Vulnerability details
Description
Bids to the auction can be created using any
msg.value
viaparticipateToAuction
method and are stored in an array within the mappingauctionInfoData
. However, all important methods (claimAuction
,returnHighestBid
,returnHighestBidder
,participateToAuction
) loops through the array, which can allow an attacker to fulfill it with numerous dust valueless bids to cause these functions to revert due to out of gas errors. In the worst case, where he can't overload the array enough, he will still impact other users since they will be potentially spending more gas (more money) than expected.Proof of Concept
An auction has just started.
Attacker calls
participateToAuction
as much as he can:auctionInfoData[_tokenid].push(newBid);
, increasing the length of the bid's array.The function requires
msg.value
to be higher than the highestBid. However, a new auction won't have any bid, so the attacker just needs to increment 1 wei in eachparticipateToAuction
call.After he called it enough times, essential functions like
participateToAuction
will try to loop throughauctionInfoData[_tokenid]
, but will spend enough gas to revert or make the transaction a lot more expensive than it should, which impacts any user of the protocol.Impact
Attacker can interrupt an auction or make every function call a lot more expensive.
Tools Used
Manual Review
Recommended Mitigation Steps
Define a minimum value check in
participateAuction
. After that, any attack like this will have a high cost.Assessed type
Loop