Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Title: Denial of Service Vulnerability in buy Function Leading to Potential Centralization of ZENO Bonds

0xtonchi

Summary

The Denial of Service vulnerability in the buy function is a high severity issue that can lead to potential centralization of ZENO bonds and compromise the fairness and decentralization of the auction. Implementing checks for minimum purchase amount and gas limit, and conducting thorough audits and testing are essential to address this issue and enhance the security and reliability of the auction. The severity of this issue is classified as high due to the potential impact on the auction's functionality and fairness.

Vulnerability Details

The buy function in the Auction contract is vulnerable to a Denial of Service (DoS) attack. A malicious user can call the function with an amount of zero or with an incredibly high gas price, repeatedly entering the function and potentially freezing its functionality. This can prevent other users from participating in the auction and allow the attacker to buy a large amount of ZENO bonds at the reserve price towards the end of the auction, compromising the fairness and decentralization of the auction.

Impact

  • Denial of Service: A malicious user can repeatedly call the buy function with an amount of zero or high gas price, freezing the functionality and preventing other users from participating in the auction.

  • Centralization: The attacker can exploit the DoS vulnerability to buy a large amount of ZENO bonds at the reserve price towards the end of the auction, leading to centralization and compromising the fairness of the auction.

  • Loss of Trust: The vulnerability can lead to loss of trust in the auction platform, affecting its credibility and user participation.

Tools Used

manual review

Recommendations

  1. Minimum Purchase Amount: Implement a check to ensure that the purchase amount is greater than zero.

  2. Gas Limit: Implement a gas limit to prevent transactions with an incredibly high gas price from being processed.

  3. Audit and Testing: Conduct a thorough audit and testing of the contract to ensure that the buy function is secure and resistant to DoS attacks.

function buy(uint256 amount) external whenActive nonReentrant {
require(amount > 0, "Purchase amount must be greater than zero");
require(gasleft() <= 1000000, "Gas limit exceeded"); // Example gas limit
require(amount <= state.totalRemaining, "Not enough ZENO remaining");
uint256 price = getPrice();
uint256 cost = price * amount;
// Transfer USDC from buyer to business address
require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");
bidAmounts[msg.sender] += amount;
state.totalRemaining -= amount;
state.lastBidTime = block.timestamp;
state.lastBidder = msg.sender;
// Mint ZENO tokens to the buyer
zeno.mint(msg.sender, amount);
emit ZENOPurchased(msg.sender, amount, price);
// Check if auction should end early
if (state.totalRemaining == 0) {
_endAuction();
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

0xtonchi Submitter
3 months ago
0xtonchi Submitter
3 months ago
0xtonchi Submitter
3 months ago
inallhonesty Lead Judge
3 months ago
inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.