search

sherlock-audit / 2023-06-Index-judging

6 stars 2 forks source link

Arabadzhiev - Malicious actors can DoS users, that want to buy all / most of the remaining quantity of a component, by frontrunning them with dust amount bids #53

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Arabadzhiev

medium

Malicious actors can DoS users, that want to buy all / most of the remaining quantity of a component, by frontrunning them with dust amount bids

Summary

When users place bids that are very close, or equal to the maximum available amount for that particular component, malicious users can frontrun them with a small bid for the same asset, in turn, making their transaction revert.

Vulnerability Detail

Lets take the following example:

There is a currently ongoing auction and one of the components that it sells is WETH. The currently available quantity for that component is 10.

Alice sees that this auction, and since she is really bullish on WETH, she decides to buy all of the available quantity from the auction. We can then observe the following flow of actions:

  1. Alice places a bid for buying 10 WETH
  2. Unfortunately for her, Bob has been carefully monitoring the mempool for such transactions, and when he sees her transaction, he simply places his own one with a slightly higher gas price, where he places a bid for buying 1 wei of WETH
  3. The transaction of Bob gets executed.
  4. The transaction of Alice gets executed. It will however revert on this require statement, since now the available quantity of WETH is 10 WETH - 1 wei

The above scenario can repeat itself a few times, until Alice either buys an amount significantly lower the the one she initially anticipated, or she simply gives up on participating in the auction entirely.

Impact

The following negative impacts can be observed:

  1. Bids that are very close, or equal to the maximum available quantity for that particular component have a high probability of being reverted, in turn, disincentivizing users from placing such ones
  2. Users will be able to buy components at lower prices (when their price adapters are configured to decrease the price over time)
  3. The time for reaching the targets of all components may be artificially prolonged

Code Snippet

https://github.com/sherlock-audit/2023-06-Index/blob/8d348ed344635a068d458aa04956f966b6d3d4f3/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L796

Tool used

Manual Review

Recommendation

To mitigate this issue, you can either:

  1. Add a configurable minimum bid amount, and check that the _componentAmount is greater than or equal to it at the start of each bid
  2. When the available auction quantity for that particular component is less than the requested component amount, simply sell the available amount to the user, instead of reverting. If you go this route, you may also want to consider adding a function parameter, that lets users specify exactly how much less they are willing to buy.

Duplicate of #41

Arabadzhiew commented 1 year ago

Escalate This should be a duplicate of #41

sherlock-admin2 commented 1 year ago

Escalate This should be a duplicate of #41

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Oot2k commented 1 year ago

Agree with escalation

pblivin0x commented 1 year ago

Agree this is a duplicate of #41 and it patched in the remediations

hrishibhat commented 1 year ago

Result: Medium Duplicate of #41

sherlock-admin2 commented 1 year ago

Escalations have been resolved successfully!

Escalation status: