Closed sherlock-admin closed 1 year ago
Escalate for 3 USDC This is a duplicate of https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60
The issue is talking about market makers disabling their order by revoking approval. This way they can cause the auction functions to fail. Protocol owners acknowledged this but don't plan to fix as they don't expect market makers and auction participants to abuse this as per their comment:
https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60#issuecomment-1342109888
Escalate for 3 USDC This is a duplicate of https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60
The issue is talking about market makers disabling their order by revoking approval. This way they can cause the auction functions to fail. Protocol owners acknowledged this but don't plan to fix as they don't expect market makers and auction participants to abuse this as per their comment:
https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60#issuecomment-1342109888
You've created a valid escalation for 3 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation accepted
Escalation accepted
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
indijanc
medium
An attacker can cause a temporary DoS on auctions
Summary
As the auctions for buying/selling SQUEETH are public, anyone can cause at least a temporary DoS by revoking their ERC20 approvals.
Vulnerability Detail
Both Auction functions require that the bidders approve WETH and SQUEETH for the auction to function. While they can approve at bidding time, they can later revoke their approvals at auction settlement time, which will revert the auction. This would however be a temporary DoS depending on the attacker determination and skills as the particular order can be dismissed and auction repeated.
Impact
Temporary DoS on executing the auctions.
Code Snippet
https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L512 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L518 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L649 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L651
Tool used
Manual Review
Recommendation
Fixing this would likely require a design change in how bidding is done to require bidders to deposit their bids for the duration of the auction.
Duplicate of #60