You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
The third party can control the gas and cause the external call of the contract to fail, but the remaining 1 / 64 gas can still execute the subsequent logic try/catch normally, causing problems in the pause logic.
Vulnerability Detail
This issue involves the fix from the previous review, refer to: M-12、M-15.
The main problem has been detailed in M-15, but due to intentional design, the previous contract would not catch OOG errors, but the fix in M-12 will now catch OOG errors.
Therefore, a malicious attacker can use a carefully designed gas amount to maliciously suspend the contract operation.
Impact
The contract was maliciously suspended and had to wait for the owner to unpause and mint coins.
sherlock-admin
added
Reward
A payout will be made for this issue
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
and removed
Non-Reward
This issue will not receive a payout
labels
Dec 21, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
kutugu
medium
Malicious pausing auction attack
Summary
The third party can control the gas and cause the external call of the contract to fail, but the remaining 1 / 64 gas can still execute the subsequent logic try/catch normally, causing problems in the pause logic.
Vulnerability Detail
This issue involves the fix from the previous review, refer to: M-12、M-15.
The main problem has been detailed in M-15, but due to intentional design, the previous contract would not catch OOG errors, but the fix in M-12 will now catch OOG errors.
Therefore, a malicious attacker can use a carefully designed gas amount to maliciously suspend the contract operation.
Impact
The contract was maliciously suspended and had to wait for the owner to unpause and mint coins.
Code Snippet
Tool used
Manual Review
Recommendation
Check gas limits or handle different errors differently
Duplicate of #243
The text was updated successfully, but these errors were encountered: