indijanc
commented
1 year ago Escalate for 3 USDC This is a duplicate of https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60
The issue is talking about market makers disabling their order by revoking approval. This way they can cause the auction functions to fail. Protocol owners acknowledged this but don't plan to fix as they don't expect market makers and auction participants to abuse this as per their comment:
https://github.com/sherlock-audit/2022-11-opyn-judging/issues/60#issuecomment-1342109888
sherlock-admin
hrishibhat
indijanc
medium
An attacker can cause a temporary DoS on auctions
Summary
As the auctions for buying/selling SQUEETH are public, anyone can cause at least a temporary DoS by revoking their ERC20 approvals.
Vulnerability Detail
Both Auction functions require that the bidders approve WETH and SQUEETH for the auction to function. While they can approve at bidding time, they can later revoke their approvals at auction settlement time, which will revert the auction. This would however be a temporary DoS depending on the attacker determination and skills as the particular order can be dismissed and auction repeated.
Impact
Temporary DoS on executing the auctions.
Code Snippet
https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L512 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L518 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L649 https://github.com/sherlock-audit/2022-11-opyn/blob/main/crab-netting/src/CrabNetting.sol#L651
Tool used
Manual Review
Recommendation
Fixing this would likely require a design change in how bidding is done to require bidders to deposit their bids for the duration of the auction.
Duplicate of #60