Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

unforgiven - attacker can force pause the Auctions #118

Closed
sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Closed

unforgiven - attacker can force pause the Auctions #118

sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 1, 2023
edited by sherlock-admin2
Loading

unforgiven

high

attacker can force pause the Auctions

Summary

function _createAuction() is called after old auctions is settled. the issue is that code tires to mint new token by calling token.mint() and if that call reverts then code pauses the Auction. attacker can send low gas amount in the call and make the call to mint revert because of OOG and then Auction contract will pause the auction operations.

if Auction is paused then tokens won't be minted and Founders won't receive their vesting allocations. for example if a founders vesting time was for 1 week and auction time was for 1 day, then that founder expect to receive 7 NFT tokens in his vesting time, but attacker can cause force pause between auctions and make the funder to receive less NFT, also the pause will block the core functionality of the Auction, so I believe this is a High issue.

Vulnerability Detail

This _createAuction() code, as you can see if token.mint() reverts, then auction will be paused.

    /// @dev Creates an auction for the next token
    function _createAuction() private returns (bool) {
        // Get the next token available for bidding
        try token.mint() returns (uint256 tokenId) {
            // Store the token id
            auction.tokenId = tokenId;
..........
..........
..........
        } catch {
            // Pause the contract if token minting failed
            _pause();
            return false;
        }

because code pauses the auction even if the call reverted because of the OOG, so attacker can send low gas and cause OOG in the mint execution and pause the Auction. This is the POC:

  1. let's assume the Token.mint() need 30K gas.
  2. let's assume settleCurrentAndCreateNewAuction() execution until Token.mint() line requires 100K gas.
  3. when an auction is finished attacker would frontrun others and would call settleCurrentAndCreateNewAuction() with 120K gas.
  4. function settleCurrentAndCreateNewAuction() will run until Token.mint() and it would send less than 20K gas to the mint function.
  5. mint call will revert and the catch part will be executed and would pause the Auction to pause.
  6. attacker was able to pause the Auction while pausing is only for Founder level access or incase of the Token contract doesn't allow minting.

because founders receive their vesting tokens based on expire time so it's essential that auctions are executed and tokens are minted so they receive their token. if auction is paused then founders will receive less tokens.

Impact

attacker can manipulate Auction mechanism and pause the auction.

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/db232c649b425c36f5a93607c95cfdf0e5962b2f/nouns-protocol/src/auction/Auction.sol#L292-L330

Tool used

Manual Review

Recommendation

make sure there is enough gas left when calling mint() function or doesn't pause when call revered with no error.

Duplicate of #243
@github-actions github-actions bot closed this as completed Dec 6, 2023
@github-actions github-actions bot added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Dec 6, 2023
@sherlock-admin2 sherlock-admin2 changed the title Skinny Frost Puppy - attacker can force pause the Auctions unforgiven - attacker can force pause the Auctions Dec 13, 2023
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 13, 2023
@Czar102 Czar102 added the Medium A valid Medium severity issue label Dec 21, 2023
@sherlock-admin sherlock-admin added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Dec 21, 2023
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Dec 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2