Back to corerouter's contests

SIZE contest - corerouter's results

An on-chain sealed bid auction protocol.

General Information

Platform: Code4rena

Start Date: 04/11/2022

Pot Size: $42,500 USDC

Total HM: 9

Participants: 88

Period: 4 days

Judge: 0xean

Total Solo HM: 2

Id: 180

League: ETH

SIZE

Findings Distribution

Researcher Performance

Rank: 87/88

Findings: 1

Award: $5.60

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySIZE

Findings Information

🌟 Selected for report: Trust

Also found by: 0x1f8b, 0xdapper, HE1M, KIntern_NA, Lambda, Picodes, RaymondFam, RedOneN, TomJ, V_B, __141345__, c7e7eff, chaduke, codexploder, corerouter, cryptonue, fs0c, gz627, hihen, joestakey, ktg, ladboy233, minhtrng, rvierdiiev, simon135, skyle, slowmoses, wagmi, yixxas

Awards

5.604 USDC - $5.60

Labels

bug
2 (Med Risk)
satisfactory
duplicate-237

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-size/blob/790811de1dffd3619d05f89a339fcac1e927117e/src/SizeSealed.sol#L157

Vulnerability details

Impact

In order to prevent DOS attack, max of 1000 bids are allowed in any auction. With the limit, it is possible the auction can be attacked in the following two ways:

  1. For a red hot auction many bidders want to win, a malicious bid can work alone, or coordinate with others, to bid the auction with the price of minimumBidQuote once the auction starts. They can use 1000 different wallet address to bid with the price of minimumBidQuote and 0.1% total auction amount. After that, even someone wants to bid for the auction with higher price, he can not succeed as the max bid number of 1000 has been reached. This kind of auction is not good at price discovery and value maximization for projects.

  2. If someone want to make an auction fail to raise money, he can use 1000 different wallet address to bid for the auction once the auction starts. After that, others can not bid for the auction as the max number of bid has been reached. Later on, before the auction has passed 24 hours after auction's endTimestamp, he can cancelled all the bids without any penalty, according to the current implementation. As a result, the auction has no bidders in the end and will fail to raise money.

Proof of Concept

https://github.com/code-423n4/2022-11-size/blob/790811de1dffd3619d05f89a339fcac1e927117e/src/SizeSealed.sol#L157-L159 https://github.com/code-423n4/2022-11-size/blob/790811de1dffd3619d05f89a339fcac1e927117e/src/SizeSealed.sol#L415-L430

Tools Used

There are two ways to improve the auction mechanism:

  1. Increase the max number of bids for an auction from 1,000 to a greater number such as 10,000. It will make the attack more difficult.
  2. A user can only cancel a bid before some time ahead of auction endTimestamp, for example, 24 hours before an auction's end. This mechanism will make others have a chance to bid for the auction once other bidders have cancelled their bids.

#0 - c4-judge

2022-11-09T15:37:38Z

0xean marked the issue as duplicate

#1 - c4-judge

2022-12-06T00:22:24Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter