Platform: Code4rena
Start Date: 13/12/2023
Pot Size: $36,500 USDC
Total HM: 18
Participants: 110
Period: 8 days
Judge: 0xTheC0der
Id: 311
League: ETH
Rank: 99/110
Findings: 1
Award: $7.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: deth
Also found by: 00xSEV, 0xCiphky, 0xHelium, ABAIKUNANBAEV, Aamir, AkshaySrivastav, King_, Pechenite, SpicyMeatball, Tricko, ast3ros, ayden, bart1e, deth, fnanni, ke1caM, mahdirostami, peanuts, pep7siup, pontifex, ptsanev, roland, rvierdiiev, y4y
7.2215 USDC - $7.22
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L209 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L519
In the Revolution Protocol, users can create art pieces and publish them to the CultureIndex contract for public voting. Then, the highest voted piece would get auctioned in the AuctionHouse contract. And upon a new piece being autioned, AutionHouse will try to call VerbsToken.mint to mint a new NFT for the piece.
function _createAuction() internal { // Check if there's enough gas to safely execute token.mint() and subsequent operations require(gasleft() >= MIN_TOKEN_MINT_GAS_THRESHOLD, "Insufficient gas for creating auction"); try verbs.mint() returns (uint256 verbId) { // ... } catch { _pause(); } }
Inside the mint function, the VerbsToken calls CultureIndex.dropTopVotedPiece to mint the highest voted piece as the auctioned NFT. However, the prerequisite for the mint is that the piece has to have more votes than quorum votes set when the piece is created. When this condition is taking longer than expected time to meet, the mint function will always revert as the prerequisite is not met.
function dropTopVotedPiece() public nonReentrant returns (ArtPiece memory) { require(msg.sender == dropperAdmin, "Only dropper can drop pieces"); ICultureIndex.ArtPiece memory piece = getTopVotedPiece(); require(totalVoteWeights[piece.pieceId] >= piece.quorumVotes, "Does not meet quorum votes to be dropped."); // ... }
As a result, the _createAuction function will catch such revert, and pause the auction contract. The admin can unpause, but since the unpause function also tries to call _createAuction when the last auction is settled, the cycle repeats and the auction contract will pause again. This causes the auction contract to not be able to serve its purpose and hence the DoS.
Suppose we are in a new round of auction, and the art piece 1337 currently has the highest vote and ready to be auctioned in the next round. When this piece is being created, there are total of 100 * 10 ** 18 total supply of voting tokens, and let's suppose the quorum ratio is 50%, which means this piece would require at least 50 * 10 ** 18 tokens to be successfully minted and auctioned later. But shortly after the piece is created, some party, malicious or not, has burnt a huge amount of voting tokens, which caused the total supply dropped to 50 * 10 ** 18. Now, some time has passed, and this piece earned the most votes and will be auctioned next. However, the mint would fail because at piece creation, only half of the total votes are needed, now it would need all the votes. This makes the minting to be stopped, and the auction house has to wait for the prerequisite to met to start function again. During the time, no tokens can be auctioned and minted.
Manual review
When doing quorum check, compare the percentage of votes of current total supply. Or record the relative weight/percentage each user has voted when voting.
DoS
#0 - c4-pre-sort
2023-12-22T02:30:04Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-12-22T02:30:11Z
raymondfam marked the issue as duplicate of #16
#2 - c4-pre-sort
2023-12-24T15:11:02Z
raymondfam marked the issue as duplicate of #449
#3 - c4-judge
2024-01-06T15:56:35Z
MarioPoneder changed the severity to 2 (Med Risk)
#4 - c4-judge
2024-01-06T15:57:51Z
MarioPoneder marked the issue as satisfactory