You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
sherlock-admin opened this issue
Dec 1, 2023
· 2 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Due to EIP150 introduction of the 63/64 gas rule, it is possible to DOS the Auction.sol by repeatedly pausing it. This is done through providing the correct amount of gas when calling settleCurrentAndCreateNewAuction() that would cause _createAuction -> token.mint() to fail.
The bug is exploitable if token.mint() uses more than 1.5 mil of gas because 1.5mil / 64 is > 20,000 which is the amount of gas needed to pause the contract. This is achievable when roughly 20 tokens are being minted to founders.
Impact
As settleCurrentAndCreateNewAuction() can be called by anyone, an attacker can potentially keep pausing the auction contract, which requires a DAO vote to call unpause() causing major inconvenience and possibly permanent DOS of the auction.
Before calling token.mint() check that sufficient gas being forwarded so that the mint will not fail due to a lack of gas. This could be stored in a minGas variable.
sherlock-admin2
changed the title
Bitter Crepe Rattlesnake - Malicious DOS by pausing contract
giraffe - Malicious DOS by pausing contract
Dec 13, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
giraffe
medium
Malicious DOS by pausing contract
Summary
Due to EIP150 introduction of the 63/64 gas rule, it is possible to DOS the
Auction.sol
by repeatedly pausing it. This is done through providing the correct amount of gas when callingsettleCurrentAndCreateNewAuction()
that would cause_createAuction -> token.mint()
to fail.Vulnerability Detail
Same bug from previous contest remains unfixed, and is not listed as a known issue:
https://code4rena.com/reports/2022-09-nouns-builder#m-15-malicious-pausing-the-contract
Essentially,
_createAuction
does atry-catch
to calltoken.mint()
. If thetry
call fails due to insufficient gas, thecatch
block is triggered which pauses the contract.The bug is exploitable if
token.mint()
uses more than 1.5 mil of gas because 1.5mil / 64 is > 20,000 which is the amount of gas needed to pause the contract. This is achievable when roughly 20 tokens are being minted to founders.Impact
As
settleCurrentAndCreateNewAuction()
can be called by anyone, an attacker can potentially keep pausing the auction contract, which requires a DAO vote to callunpause()
causing major inconvenience and possibly permanent DOS of the auction.Code Snippet
https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/auction/Auction.sol#L294
Tool used
Manual Review
Recommendation
Before calling
token.mint()
check that sufficient gas being forwarded so that the mint will not fail due to a lack of gas. This could be stored in aminGas
variable.Duplicate of #243
The text was updated successfully, but these errors were encountered: