Platform: Code4rena
Start Date: 02/08/2023
Pot Size: $42,000 USDC
Total HM: 13
Participants: 45
Period: 5 days
Judge: hickuphh3
Total Solo HM: 5
Id: 271
League: ETH
Rank: 32/45
Findings: 1
Award: $89.63
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Aymen0909
Also found by: 0xStalin, 0xbepresent, Arz, D_Auditor, Jorgect, T1MOH, bin2chen, dirk_y, josephdara, ptsanev, rvierdiiev, seerether, shirochan, trachev
89.6296 USDC - $89.63
There's no access restriction on rngComplete which allows anyone to execute this function and complete the auction. This can lead to unexpected behavior or potential DOS attack where a user completes the auction.
Manual Analysis
It's recommended to check that only the relayer can execute this function.
/// @notice Called by the relayer to complete the Rng relay auction. ... function rngComplete( uint256 _randomNumber, uint256 _rngCompletedAt, address _rewardRecipient, uint32 _sequenceId, AuctionResult calldata _rngAuctionResult ) external returns (bytes32) { + require(msg.sender == rngAuctionRelayer, "RngRelayAuction/rngComplete: Only the relayer can call this function"); if (_sequenceHasCompleted(_sequenceId)) revert SequenceAlreadyCompleted();
Access Control
#0 - c4-pre-sort
2023-08-08T03:01:38Z
raymondfam marked the issue as duplicate of #82
#1 - c4-judge
2023-08-14T02:47:15Z
HickupHH3 marked the issue as satisfactory