Skip to content

Latest commit

 

History

History
57 lines (37 loc) · 2.51 KB

065.md

File metadata and controls

57 lines (37 loc) · 2.51 KB

Shaggy Clay Cobra

Medium

An attacker can grief the auction

Summary

The bidding mechanism in the Auction contract is flaw so that an attacker can make the auction to be failed by bidding a very large amount of buy reserve amount

Root Cause

The function Auction::endAuction() is called after auction period to end the auction. In case the sale limit is reached, the auction is marked as failed. The sale limit is checked by compare the totalSellReserveAmount with adjusted pool reserve balance: totalSellReserveAmount >= (IERC20(sellReserveToken).balanceOf(pool) * poolSaleLimit) / 100

  function endAuction() external auctionExpired whenNotPaused {
    if (state != State.BIDDING) revert AuctionAlreadyEnded();

    if (currentCouponAmount < totalBuyCouponAmount) {
      state = State.FAILED_UNDERSOLD;
@>    } else if (totalSellReserveAmount >= (IERC20(sellReserveToken).balanceOf(pool) * poolSaleLimit) / 100) {
@>        state = State.FAILED_POOL_SALE_LIMIT;
    } else {
      state = State.SUCCEEDED;
      Pool(pool).transferReserveToAuction(totalSellReserveAmount);
      IERC20(buyCouponToken).safeTransfer(beneficiary, IERC20(buyCouponToken).balanceOf(address(this)));
    }

    emit AuctionEnded(state, totalSellReserveAmount, totalBuyCouponAmount);
  }

However, in the function bid(), the totalSellReserveAmount can be increased arbitrarily when caller only has to send coupon token. This can allow the bidder to use a low amount of coupon token with very high amount of buy reserve amount to increase totalSellReserveAmount, which finally force the auction to be failed for pool sale limit. This attack vector is feasible because even though the attacker's bid can be the lowest bid. To decrease totalSellReserveAmount, it is necessary to make many bids (exceed max bids = 1000), so that the lowest can be removed.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

  1. An auction starts
  2. An attacker bids using large amount of buyReserveAmount, effectively increase totalSellReserveAmount to exceed pool sale limit
  3. Auction ends up failed because of pool sale limi reached

Impact

  • Grief the auction process

PoC

Mitigation

Consider having a minimum price to bid so that a bid having low price can not be placed in the system