Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-10-NEXTGEN-FINDINGS-ISSUES-2038
HistoryNov 13, 2023 - 12:00 a.m.

AuctionDemo opens itself several DoS attack vectors

2023-11-1300:00:00
Code4rena
github.com
3
auctiondemo
dos attack
auctioninfostru
tokenid
gas errors
solidity
mitigation steps

7 High

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Impact

Detailed description of the impact of this finding.

Proof of Concept

The auctionDemo.auctionInfoData map holds important info on auctions, and hold this info per tokenId. Needless to say, for many auctions that may become popular and/or long running, the auctionInfoStru[] array for a given _tokenid can get very large.

mapping (uint256 => auctionInfoStru[]) public auctionInfoData;

There are several methods in this contract involve core logic that loops through the whole auctionInfoStru[] array for a tokenId. If this array is sufficiently large enough, then the transaction that called any of the methods that directly invoke or indirectly rely on this looping logic can easily run out of gas and thus fail. In order to retry again and have the transaction success, it might require a huge amount of gas which can be very expensive.

The following function directly invoke or indirectly rely on looping through auctionInfoData[_tokenid], where _tokenid is any given token being auctioned, which could very easily have potentially large length, enough so for a tx to run out of gas:

  • participateToAuction
  • returnHighestBid
  • returnHighestBidder
  • claimAuction
  • cancelAllBids

This is essentially all the major functions of the NextGen auction functionality.

Some more details on the issues:

  • returnHighestBid is widely used; any function that calls this is subject to potential tx failure if the loop through bids is large enough, which could happen quite often
  • if an Admin calls claimAuction to reward winners and there was a sufficiently large enough amount of bidders, the tx to refund everyone and reward the winner will either fail or require a HUGE amount of gas to assure the tx finishes to completion; if Winner calls, they face the same issue rewarding themselves rightfully.

Tools Used

Solidity

Recommended Mitigation Steps

Pull model over push model -> Require Winners seeking their rightful prize and losers seeking refund to manually refund themselves; this can easily be implemented with a map lookup instead of large for loops.

Assessed type

DoS

The text was updated successfully, but these errors were encountered:

All reactions

7 High

AI Score

Confidence

Low

JSON