search

code-423n4 / 2024-04-gondi-findings

0 stars 0 forks source link

placeBid() malicious low bidding #8

Closed c4-bot-8 closed 7 months ago

c4-bot-8 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/AuctionLoanLiquidator.sol#L230

Vulnerability details

Vulnerability details

Users who need to bid can do so with the method: AuctionLoanLiquidator.placeBid()

    function placeBid(address _nftAddress, uint256 _tokenId, Auction memory _auction, uint256 _bid)
        external
        nonReentrant
        returns (Auction memory)
    {
@>      _placeBidChecks(_nftAddress, _tokenId, _auction, _bid);

        uint256 currentHighestBid = _auction.highestBid;
        if (_bid == 0 || (currentHighestBid.mulDivDown(_BPS + MIN_INCREMENT_BPS, _BPS) >= _bid)) {
            revert MinBidError(_bid);
        }
...

@>      _auctions[_nftAddress][_tokenId] = _auction.hash();

        emit BidPlaced(_nftAddress, _tokenId, newBidder, _bid, _auction.loanAddress, _auction.loanId);
        return _auction;
    }

There are two important checks

  1. auctions[_nftAddress][_tokenId] == _auction.hash() ( whether the param _auction is legal or not)
  2. this bid amount bid is > 5% over highestBid ( bid > highestBid * 10500 / 10000)

These two conditions can be easily underbid by a user Users just need to monitor mempool, front-run placeBid() starting from bid=1. Example:

  1. block = 1 , front-run placeBid(_auction, bid=1) --> pass ( 1 > (0 * 10500 / 10000))

  2. block = 2 , front-run placeBid(_auction, bid=2) --> pass ( 2 > (1 * 10500 / 10000))

  3. block = 3 , front-run placeBid(_auction, bid=3) --> pass ( 3 > (2 * 10500 / 10000)) ...

Each front-run, causes subsequent bids on the same block to fail, regardless of the user's bid amount, because the first one changes the hash : _auctions[_nftAddress][_tokenId] = _auction.hash();, resulting in the other users not being able to pass the hash check

Impact

Malicious front-run low bidding

Recommended Mitigation

Suggestions:

  1. Auction is saved in storage
  2. placeBid() pass in auction id

Assessed type

DoS

c4-judge commented 7 months ago

0xA5DF marked the issue as duplicate of #37

c4-judge commented 7 months ago

0xA5DF changed the severity to 2 (Med Risk)

c4-judge commented 7 months ago

0xA5DF marked the issue as satisfactory