Preventing other bidders to bid on an auction #126
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-237
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L122
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L415
Vulnerability details
Impact
In summary, it is possible to bid and cancel the bid on an auction. So, the number of bidder will be incremented by one (although it is conceled). Doing so 1000 times, will prevent other users to bid on this auction.
Suppose an auction is already created. A malicious user calls 1000 times the function
bid(...)
with the required parameters.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L122
So, for each call, one bidder will be pushed to the array
EncryptedBid[]
.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L161
Then the malicious user calls
cancelBid(...)
1000 times to take the funds back.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L415
By doing so, the number of bidders reaches to 1000, so no bidders can bid on this auction anymore, because it is reached to the limit.
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L157
The malicious user only pays the gas for these transactions, and will not lose any money because during cancelling bids the fund is transferred back to the malicious user.
The vulnerability is that in the function
cancelBid(...)
, the bid is not removed from the number of bidders in the auction.Proof of Concept
Tools Used
Recommended Mitigation Steps
The number of active/valid bidders should be tracked, so during cancelling a bid, it can be easily removed.
The text was updated successfully, but these errors were encountered: