sherlock-admin3
commented
2 months ago escalate
You've deleted an escalation for this issue.
Closed sherlock-admin3 closed 3 months ago
sherlock-admin3
commented
2 months ago escalate
You've deleted an escalation for this issue.
PNS
Medium
buyticketsfunction can be completely blocked under high demandSummary
As outlined in the document provided by the sponsor: https://docs.google.com/document/d/12kGD8nJ9DiR0cW5ngT8A6gE7GBG7NwiDCOIkGksL8qY/edit, the process of buying tickets begins with an HTTP request to the API, which returns the available number of tickets, the purchase price, and a signature. The number of tickets is then validated by the
_checkTicketPurchaseablefunction and checked against the possible supply, as seen here. Due to the asynchronous nature of these requests, it’s possible that the data and signatures could be generated just before another user completes a purchase, rendering the API data outdated and causing the transaction to revert, effectively paralyzing one of the application's core functions.Root Cause
Signatures and data are generated based on data at a specific moment without considering previous purchase transactions, leading to inconsistencies when other users buy tickets.
Internal pre-conditions
External pre-conditions
No response
Attack Path
No response
Impact
Most purchase transactions initiated through the
buyTicketsfunction will be rejected due to outdated data (ticketCount). This will cause the application's core ticket-buying feature to not function as intended.PoC
No response
Mitigation
The
buyTicketsprocess should involve some form of reservation system for the requested number of tickets. This reservation should be factored into subsequent requests to prevent multiple users from purchasing "the same" tickets. The reservation should also have a time limit to allow other users to purchase tickets if the original user decides not to complete the transaction.