search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

DoS: Auction May Be Made Unusable By An Attacker #2040

Closed thebrittfactor closed 1 year ago

thebrittfactor commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/AuctionDemo.sol#L60

Vulnerability details

Impact

When the items of auctionInfoData array is sufficiently high, claimAuction, cancelAllBids(), returnHighestBid() will all not be able to be called due to the block gas limit rendering all funds locked and auction unusable.

auctionInfoData can only ever be add to and thus will always increase. This array will naturally increase as new bids are made.

Notice an attacker can simply send additional 1 WEI worth of ETH to pass the required checks to creating new Bids, cancel bid to get funds back and preform steps continually to maliciously increase array size with lossing bigged funds.

Proof of Concept

AuctionDemo:participateToAuction() where newBid can be added to auctionInfoData and grow indefinitely

    function participateToAuction(uint256 _tokenid) public payable {
        require(msg.value > returnHighestBid(_tokenid) && block.timestamp
<= minter.getAuctionEndTime(_tokenid) && minter.getAuctionStatus(_tokenid)
== true);
        auctionInfoStru memory newBid = auctionInfoStru(msg.sender,
msg.value, true);
        auctionInfoData[_tokenid].push(newBid);
    }

Example function that would break

function returnHighestBid(uint256 _tokenid) public view returns (uint256) {
        uint256 index;
        if (auctionInfoData[_tokenid].length > 0) {
            uint256 highBid = 0;
            for (uint256 i=0; i< auctionInfoData[_tokenid].length; i++) {
                if (auctionInfoData[_tokenid][i].bid > highBid &&
auctionInfoData[_tokenid][i].status == true) {
                    highBid = auctionInfoData[_tokenid][i].bid;
                    index = i;
                }
            }
            if (auctionInfoData[_tokenid][index].status == true) {
                return highBid;
            } else {
                return 0;
            }
        } else {
            return 0;
        }
    }

Tools Used

Visual Studio Code

Recommended Mitigation Steps

Consider modifying the newBids creation approach

Assessed type

DOS

thebrittfactor commented 1 year ago

For transparency, due to submission issues, the warden provided this submission prior to audit close.

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #1453

c4-judge commented 11 months ago

alex-ppg marked the issue as duplicate of #2038

c4-judge commented 11 months ago

alex-ppg marked the issue as unsatisfactory: Out of scope

c4-judge commented 11 months ago

alex-ppg marked the issue as unsatisfactory: Out of scope