First DaiGoldAuction
can be used to DOS the contract and grief users
In DaiGoldAuction
, the startAuction
function allows anyone to start an auction if the auctionStarter
is not set (i.e., address(0)
). This vulnerability arises because auctionStarter
is always initialized to address(0)
.
A user can start an auction immediately after the contract is created because auctionStarter
is address(0)
and auctionConfig
is empty. When the contract is created and a user calls startAuction
, all checks pass since prevAuctionInfo
and config
are empty (all uint
values are set to 0).
This results in an auction with 0 totalGoldAmount
, a startTime
of now, and an endTime
in 1 week.
Issues that arise:
If bidders bid, their tokens will be wasted as the auction allocation is 0 and below auctionMinimumDistributedGold
(which is 0 because the config is not initialized).
setAuctionConfig
and setAuctionStarter
don't work when there is an ongoing auction:
This means that if such an auction is started, it can be kept running indefinitely by an attacker who front-runs the next setAuctionStarter
or setAuctionConfig
call with startAuction
and starts a new auction (this time with some tokens).
Example scenario:
DaiGoldAuction
is created.
Alice front-runs the call to setAuctionConfig
with startAuction
, starting an auction.
The admin's call to setAuctionConfig
reverts. The system now needs to wait 1 week to set the config.
Alice front-runs the next call again with startAuction
.
https://gist.github.com/0x3b33/32c89ff667624b66951cf8dd8de261fe
Paste in: protocol/test/forge/templegold/<name>.t.sol
Run with: forge test --match-test test_brick_contract -vvvv
DaiGolAuction
is DOSed for at least a week, most likely more. Some users to lose their tokens.
Manual review
Initialize auctionStarter
as address(1)
to disable startAuction
's free calls . Another option is to set the config in the constructor. Ensure the config is set before users are allowed to start auctions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.