Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

0xMosh - Auction contract could be paused maliciously ! #266

Closed
sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Closed

0xMosh - Auction contract could be paused maliciously ! #266

sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 1, 2023
edited by sherlock-admin2
Loading

0xMosh

medium

Auction contract could be paused maliciously !

Summary

Auction contract could be paused maliciously !

Vulnerability Detail

There is a function _createAuction in Auction contract.
There is a function _createAuction in Auction contract.

It consists of the following logic:

function _createAuction() private {
    try token.mint() returns (uint256 tokenId) {
        **creating of the auction for token with id equal to tokenId**
        // Pause the contract if token minting failed
    } catch Error(string memory) {
        _pause();
    }
}

According to the EIP-150 call opcode can consume as most 63/64 of parrent calls’ gas. That means token.mint() can fail since there will be no gas.

All in all, if token.mint() fail on gas and the rest gas is enough for pausing the contract by calling _pause in catch statement the contract will be paused.

Please note, that a bug can be exploitable if the token.mint() consume more than 1.500.000 of gas, because 1.500.000 / 64 > 20.000 that need to pause the contract. Also, the logic of token.mint() includes traversing the array up to 100 times, that’s heavy enough to reach 1.500.000 gas limit.

Impact

Contract can be paused by any user by passing special amount of gas for the call of settleCurrentAndCreateNewAuction (which consists of two internal calls of _settleAuction and _createAuction functions).

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/auction/Auction.sol#L292

Tool used

Manual Review

Recommendation

Add a special check for upper bound of gasLeft at start of _createAuction function.

Duplicate of #243
@github-actions github-actions bot closed this as completed Dec 6, 2023
@github-actions github-actions bot added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Dec 6, 2023
@sherlock-admin2 sherlock-admin2 changed the title Skinny Oily Koala - Auction contract could be paused maliciously ! 0xMosh - Auction contract could be paused maliciously ! Dec 13, 2023
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 13, 2023
@Czar102 Czar102 added the Medium A valid Medium severity issue label Dec 21, 2023
@sherlock-admin sherlock-admin added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Dec 21, 2023
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Dec 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2