Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-STADER-FINDINGS-ISSUES-367
HistoryJun 09, 2023 - 12:00 a.m.

Aunction DOS

2023-06-0900:00:00
Code4rena
github.com
9
vulnerability
auction contract
dos
potential
incorrect time calculation
block.timestamp
mitigation steps
JSON

Lines of code
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L38&gt;
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L48-L50&gt;
<https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L62-L135&gt;

Vulnerability details

Impact

All auction functions are under a potential DOS or exploitability vulnerability
A 2 day duration is added to the current block.number when creating a lot. This introduces a critical flaw, Adding 2 * 86400(correct value of 2 days) / 2*7200(wrong value used in code) to a block number makes all checks return wrong values.

 uint256 public constant MIN_AUCTION_DURATION = 7200; // 24 hours

    function createLot(uint256 _sdAmount) external override whenNotPaused {
        lots[nextLot].startBlock = block.number;
        lots[nextLot].endBlock = block.number + duration;
        lots[nextLot].sdAmount = _sdAmount;

Proof of Concept

function addBid(uint256 lotId) external payable override whenNotPaused {
      // reject payments of 0 ETH
      if (msg.value == 0) revert InSufficientETH();

      LotItem storage lotItem = lots[lotId];
      if (block.number &gt; lotItem.endBlock) revert AuctionEnded();

This check fails even after 2 days have passed.

   function claimSD(uint256 lotId) external override {
        LotItem storage lotItem = lots[lotId];
        if (block.number &lt;= lotItem.endBlock) revert AuctionNotEnded();

A user cannot claim even after, 2 days have passed because 2*86400 blocks have not passed.

    function transferHighestBidToSSPM(uint256 lotId) external override nonReentrant {
        LotItem storage lotItem = lots[lotId];
        uint256 ethAmount = lotItem.highestBidAmount;

        if (block.number &lt;= lotItem.endBlock) revert AuctionNotEnded();

Same issue here

Tools Used

Manual Review

Recommended Mitigation Steps

Use block.timestamp to calculate time throught the contract

Assessed type

DoS

The text was updated successfully, but these errors were encountered:

All reactions

JSON