giraffe - Malicious DOS by pausing contract

[sherlock-admin]

giraffe

medium

Malicious DOS by pausing contract

Summary

Due to EIP150 introduction of the 63/64 gas rule, it is possible to DOS the Auction.sol by repeatedly pausing it. This is done through providing the correct amount of gas when calling settleCurrentAndCreateNewAuction() that would cause _createAuction -> token.mint() to fail.

Vulnerability Detail

Same bug from previous contest remains unfixed, and is not listed as a known issue:
https://code4rena.com/reports/2022-09-nouns-builder#m-15-malicious-pausing-the-contract
Essentially, _createAuction does a try-catch to call token.mint(). If the try call fails due to insufficient gas, the catch block is triggered which pauses the contract.

The bug is exploitable if token.mint() uses more than 1.5 mil of gas because 1.5mil / 64 is > 20,000 which is the amount of gas needed to pause the contract. This is achievable when roughly 20 tokens are being minted to founders.

Impact

As settleCurrentAndCreateNewAuction() can be called by anyone, an attacker can potentially keep pausing the auction contract, which requires a DAO vote to call unpause() causing major inconvenience and possibly permanent DOS of the auction.

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/auction/Auction.sol#L294

Tool used

Manual Review

Recommendation

Before calling token.mint() check that sufficient gas being forwarded so that the mint will not fail due to a lack of gas. This could be stored in a minGas variable.

Duplicate of #243

[giraffe0x]

Request to escalate.

Medium finding in previous C4 contest but un-fixed. Past audit findings not excluded under known issues.

[sherlock-admin2]

Escalate

You've deleted an escalation for this issue.