Open c4-bot-2 opened 8 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
QA low.
MarioPoneder changed the severity to QA (Quality Assurance)
MarioPoneder marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/AuctionHouse.sol#L171-L200
Vulnerability details
Impact
The auction owner does not and the NFT creator(s) benefit from the auction at all. A malicious user obtains NFT at a very low price and grieves other users.
Proof of Concept
When top
piece
is auctioned off every day as anERC721 VerbsToken
via theAuctionHouse.sol
contract, the owner ofAuctionHouse.sol
contract can callunpause()
function to create an auction via_createAuction()
function.After that everyone the want the certain NFT form the auction can call
createBid()
function to create a bid for a Verb, with a given amountEvery auction has an
endTime
set in_createAuction()
function. Now, there is a serious problem, because stuffing wholeduration
of the auction toauction#endTime
with dummy transactions is very cheap on Optimism L2 According to https://www.cryptoneur.xyz/en/gas-fees-calculator 50M gas (which is several whole blocks) - costs ~11.1192 USD$ on Optimism L2. This makes a malicious user occasion to cheaply prohibit other users to overbid them, winning the auction at the least favorable price for the protocol.The
createBid()
function actually try to prevent the block stuffing with the implementation ofminBidIncrementPercentage
andtimeBuffer
but this actually doesn't safe the current auction, because as it writes in the following article:Tool Used
Manual Review
Recommendation Migration Steps
There are several possible solutions:
reservePrice
is enough high in the beginning of the auction.Assessed type
Context