Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Auction front-running causes DoS for legit purchases

holydevoti0n

Vulnerability Details

The buy() function in the Auction contract is vulnerable to front-running attacks due to its strict validation of purchase amounts against remaining tokens. When a user attempts to purchase the exact remaining amount of tokens, an attacker can front-run their transaction with a small purchase, causing the victim's transaction to revert.

function buy(uint256 amount) external whenActive {

require(amount <= state.totalRemaining, "Not enough ZENO remaining"); // Vulnerable check

// ... rest of function

}

Let's take as an example the scenario where the user wants to buy the amount of 200(totalRemaining):

Attacker front-runs user transaction and buy 1 unit only, now the totalRemaining is 199
Now user transaction reverts and user misses the opportunity of buy the 200 in that desired price

Impact

Users can be prevented from purchasing their desired token amount

Denial of Service through repeated front-running

Loss of opportunity to buy at specific price points, as auction price changes over time

Tools Used

Manual Review

Recommendations

Modify the buy() function to handle partial fills by adjusting the purchase amount to the remaining balance:

function buy(uint256 amount) external whenActive {

uint256 purchaseAmount = amount > state.totalRemaining ? state.totalRemaining : amount;

uint256 price = getPrice();

uint256 cost = price * purchaseAmount;

require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");

state.totalRemaining -= purchaseAmount;

state.lastBidTime = block.timestamp;

state.lastBidder = msg.sender;

zeno.mint(msg.sender, purchaseAmount);

emit ZENOPurchased(msg.sender, purchaseAmount, price);

}

Additionally, a minimum amount to be bought can be enforced.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.