This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
0x52 - Adversary can permanently brick auctions due to precision error in Auction#_computeTotalRewards #251
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x52
high
Adversary can permanently brick auctions due to precision error in Auction#_computeTotalRewards
Summary
When batch depositing to ProtocolRewards, the msg.value is expected to match the sum of the amounts array EXACTLY. The issue is that due to precision loss in Auction#_computeTotalRewards this call can be engineered to always revert which completely bricks the auction process.
Vulnerability Detail
ProtocolRewards.sol#L55-L65
When making a batch deposit the above method is called. As seen, the call with revert if the sum of amounts does not EXACTLY equal the msg.value.
Auction.sol#L474-L507
The sum of the percentages are used to determine the totalRewards. Meanwhile, the amounts are determined using the broken out percentages of each. This leads to unequal precision loss, which can cause totalRewards to be off by a single wei which cause the batch deposit to revert and the auction to be bricked. Take the following example:
Assume a referral reward of 5% (500) and a builder reward of 5% (500) for a total of 10% (1000). To brick the contract the adversary can engineer their bid with specific final digits. In this example, take a bid ending in 19.
Here we can see that the sum of amounts is not equal to totalRewards and the batch deposit will revert.
Auction.sol#L270-L273
The depositBatch call is placed in the very important _settleAuction function. This results in auctions that are permanently broken and can never be settled.
Impact
Auctions are completely bricked
Code Snippet
Auction.sol#L244-L289
Tool used
Manual Review
Recommendation
Instead of setting totalRewards with the sum of the percentages, increment it by each fee calculated. This way they will always match no matter what.
The text was updated successfully, but these errors were encountered: