Closed c4-bot-2 closed 9 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #93
raymondfam marked the issue as duplicate of #195
See comment on primary issue: https://github.com/code-423n4/2023-12-revolutionprotocol-findings/issues/195#issuecomment-1879684718
MarioPoneder marked the issue as partial-25
MarioPoneder marked the issue as not a duplicate
MarioPoneder marked the issue as duplicate of #93
MarioPoneder marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L384-L395 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L426-L430
Vulnerability details
Impact
The
AuctionHouse._settleAuction
function is used to settle an auction by finalizing the bid and paying out to the owner and creators.The
payment
transfer to each of the creator of the artPiece is executed as shown below:The payment transfer is carried out by calling the
_safeTransferETHWithFallback
function which uses thelow-level call
function to transfer thepayment ETH amount
as shown below:The issue here is that a
single malicious creator
of the auctioned artPiece can implement areceive
function in its smart contract and consume (drain) the entire gas of the transaction (gas bomb can be implemented by a malicious creator) thus reverting thesettleAuction
transaction. Furthermore this will make the_settleAuction
transaction very costly due to draining of gas thus prompting loss of funds to thecaller
.As a result the
current auction
will never be able to be settled. Because it gets reverted since one of themalicious creators
of the auctioned artPiece consumes all the gas of the transaction in itsreceive
function.As a result a new auction can not be created via the
AuctionHouse.settleCurrentAndCreateNewAuction
function since it initially attempts to settle the current auction but it gets reverted as explained earlier.As a result the
AuctionHouse
contract getsDoS
for creation and executing new auctions and bids for theVerbs
.Proof of Concept
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L384-L395
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L426-L430
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to define a mapping which stores the
creator's address
and the respectivepayment amounts
of each of the creator, of the auctioned artPiece, and then implement a functionclaimCreatorPayment
callable by each of thecreators
so they can receive their payment amounts.Assessed type
DoS