search

code-423n4 / 2024-07-reserve-findings

5 stars 4 forks source link

Dutch auctions are vulnerable to block stuffing on L2s #27

Open c4-bot-10 opened 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/trading/DutchTrade.sol#L1

Vulnerability details

Dutch auctions work by starting at a high price and decreasing over time until a bid is placed or the auction ends. The DutchTrade contract implements a 4-phase auction:

  1. 0-20%: Geometric decay from 1000x to ~1.5x the best price
  2. 20-45%: Linear decay from ~1.5x to the best price
  3. 45-95%: Linear decay from best price to worst price
  4. 95-100%: Constant at worst price

However, dutch auctions are known to be vulnerable to block stuffing attacks, particularly on L2s where gas prices are lower. The default value for the Broker.dutchAuctionLength parameter, the total duration of the auction, is 15 minutes on L2 networks.

In order to execute a block stuffing attack, an attacker would only need to consume all the gas for blocks from the moment other bids can be expected (shortly before the auction reaches fair market price) and for as long as necessary. With the parameters cited above, a conservative estimate would be to start 50% of the total duration.

On Optimism, blocks are produced every 2 seconds with a gas limit of 30M. A simple back-of-the-envelope calculation using current gas prices of ~7.86 USD per block on Optimism allows us to estimate the cost of the attack to stall the auction until it reaches the worst price at 95% of the auction at ~1591 USD. For larger trades this can clearly be profitable, and the profitability of the attack increases with lower gas prices.

See here for a similar finding and related discussion.

Impact

This allows manipulating Dutch auctions to buy assets at unfairly low prices, extracting value from the protocol. The impact is particularly severe on L2 networks due to the lower gas prices compared to Ethereum mainnet.

Proof of Concept

  1. A valuable asset is put up for Dutch auction with dutchAuctionLength set to 15 minutes (900 seconds)
  2. Attacker monitors the auction progress
  3. After 7 minutes (420 seconds), the price becomes attractive to bidders (entering phase 3 of the auction)
  4. For the next 5 minutes (300 seconds):
    • Attacker stuffs each 2-second block on Optimism, costing: 300 seconds / 2 seconds per block * 7.94 USD = 1,191 USD
  5. At 12 minutes, the auction price has dropped significantly
  6. Attacker stops stuffing blocks and places a bid at the now much lower price
  7. Attacker acquires the asset at a large discount, profiting more than the cost of block stuffing

Tools Used

Manual review

Recommended Mitigation Steps

Consider significantly increasing the default dutchAuctionLength for L2 networks to make block stuffing attacks financially unprofitable. A more exhaustive mitigation could involve mplementing adaptive auction durations based on asset value and/or current gas prices.

Assessed type

Other

akshatmittal commented 3 months ago

Dutch Auctions are competitive markets and what you describe is still competitive. While block stuffing is possible, it's not only hard in reality but also that other participants can bid higher for the lot and have the sequencer to include transactions.

Additionally, the variable is just a recommended value in the deployment docs (that too for mainnet), not a fixed value. The value can range from 60s to 1 week.

thereksfour commented 2 months ago

Block stuffing to prevent users from bidding, thus sell assets at low price, which compromises the protocol and meets the M severity

c4-judge commented 2 months ago

thereksfour marked the issue as satisfactory

c4-judge commented 2 months ago

thereksfour marked the issue as selected for report

tbrent commented 2 months ago

I do not think this issue is valid.

I don't think the PoC correctly accounts for the nature of open adversarial financial markets, in particular at this assumption:

  1. For the next 5 minutes (300 seconds): Attacker stuffs each 2-second block on Optimism, costing: 300 seconds / 2 seconds per block * 7.94 USD = 1,191 USD

The cost of stuffing the first block might be 7.94 USD, but this cost will increase monotonically over the next 5 minutes since access to the chain only becomes more valuable over time. This is primarily true because there other defi protocols on the chain with their own prices on liveness, but I think you can actually ignore this and consider the Reserve Protocol in isolation: each block that passes in the auction will open up a larger and larger MEV opportunity -- as soon as the potential profit from bidding in the block exceeds (a fraction of) 7.94 USD the block stuffer would be outbid.

Execution cannot be both cheap (easy to DoS) and valuable (provides access to lucrative trades) at the same time.

thereksfour commented 2 months ago

Agree with sponsors, will downgrade to Low. and will keep open during pjqa.

c4-judge commented 2 months ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 2 months ago

thereksfour marked the issue as not selected for report

akshatmittal commented 2 months ago

I just want to say, I think this is truly invalid.

Without even going into the details and numbers, no matter how small MEV is created, the cost of stuffing the whole block will always be higher than adding one transaction with a slightly higher priority fee.

If any of the assumptions here would be true or viable, we'd see block stuffing attacks every day for things such as AAVE liquidations.

That said, it doesn't really matter if it's a QA here or not, so I'll let you decide @thereksfour. From my perspective however, this is a true invalid.

thereksfour commented 2 months ago

Hi @akshatmittal, thank you for your positive reply, for which we can see there is some relevant discussion at https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/685. But for me, M is not valid. The reason I think it's QA though is that it does show us a concern, and while the likelihood of this is low due to cost etc., I think in extreme cases (where the main network only has the Reserve protocol active at a certain time, and the auction competitors are bots offering fixed fees etc.) it would be a concern.

0xEVom commented 2 months ago

@thereksfour @akshatmittal thank you for your comments. We agree there are many aspects to consider with this finding but we do think it meets the criteria for Medium severity. Block stuffing is in itself a technically feasible attack vector under specific conditions, and it must only be carried out for a very short time with the lowest supported auction duration.

The calculation was merely an estimate to show that the attack can be profitable even for standard values.

As @akshatmittal said, however, the duration may be configured to be as short as 60s and it is also not necessary for the stuffing to take place during the whole duration of the auction. So the attack window may be much shorter than assumed in the calculation, and as for gas prices they may also be lower and there's a cap to how much they can rise.

Besides, even if the attack is "unsuccessful" and the attacker is outbid, the end result is still a loss for the protocol.

We can agree there are some obvious assumptions here, but with the minimum supported value of 60s (which, of course, the audit should cover) the feasibility of the attack is very real.

thereksfour commented 2 months ago

Still think it's QA, the 60s configuration itself is an issue of auction prices dropping too rapidly, and sponsors stated that the wide parameter ranges are just to allow wider discretion for governance, and that extreme parameter configuration would be considered misconfigurations that don't meet the premise of non-malicious governance.