search

sherlock-audit / 2024-03-axis-finance-judging

1 stars 0 forks source link

shaka - DoS for EMPAM `refundBid` #235

Closed sherlock-admin4 closed 7 months ago

sherlock-admin4 commented 7 months ago

shaka

medium

DoS for EMPAM refundBid

Summary

DoS for EMPAM refundBid function when the number of bids is large.

Vulnerability Detail

The refundBid function in the EMPAM contract has a complexity of O(n) where n is the number of bids. This can be exploited to perform a DoS attack by creating a large number of bids and calling the refundBid function. The function will iterate over all the bids to find the bids to refund, which will consume a large amount of gas and cause the transaction to revert.

Impact

Users will not be able to request a refund for their bids.

Code Snippet

https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/modules/auctions/EMPAM.sol#L295-L301

Proof of concept

Add the following code to the contract EmpaModuleRefundBidTest in refundBid.t.sol and run forge test --mt test_refundBidOog.

function test_refundBidOog() givenLotIsCreated givenLotHasStarted external {
    uint256 numBids = 56_000;
    for (uint256 i = 0; i < numBids; i++) {
        _createBid(_BIDDER, 2e18, 100e18);
    }

    vm.prank(address(_auctionHouse));
    uint256 gasBefore = gasleft();
    _module.refundBid(_lotId, uint64(numBids), _BIDDER);

    assert(gasBefore - gasleft() > 30_000_000);
}

Tool used

Manual Review

Recommendation

Implement a search of bids with O(1) complexity for the refund function.

Duplicate of #41