Auctions will always be won by MEV bots and validators, leading to auctions ending at a low price

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L57-L61

Vulnerability details

Impact

Just like in https://code4rena.com/reports/2023-06-stader#m-13-no-bidder-has-incentive-to-bid-in-the-auction-except-doing-last-minute-mev-due-to-fixed-endblock auctions will be maliciously exploited by users bidding at the last block in order to win an auction with the lowest price possible.
As all auctions have a fixed end date, a bidder can perform an MEV attack and bid right before an auction ends with a bid only 1 wei higher than the previous highest bid.
This would not only prevent the previous highest bidder from outbidding the attacker and winning the auction, but could lead to severe losses for the protocol. As last-minute MEV is highly incentivized and a well-known vulnerability in auctions with fixed end times, it is possible that no user bids throughout the auction, but only races to bid in the final block of the auction, with the lowest price possible, which could be as low as 1 wei.

Proof of Concept

Here is a possible scenario:
As users know that MEV attacks are incentivized, all bidders aiming to bid at an auction, wait until the last block to make their bids. They all bid 1 wei, as no previous bids have been made, and the bidder, whose transaction is executed first wins the auction at practically no cost.

Tools Used

Manual review

Recommended Mitigation Steps

Increase an auction's end time after every bid and introduce a minimum bid price.

Assessed type

MEV

[141345]

any bid before endtime will break this vector.
Need more detailed discussion about how MEV can cause loss to auction.

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-sponsor]

a2rocket (sponsor) disputed

[a2rocket]

these are hypotheses, someone could bid at first a really high amount and then attackers may not wish to go so high also not everyone waits until last block.

[alex-ppg]

Duplicate of #736, discussion will be maintained there.

[c4-judge]

alex-ppg changed the severity to QA (Quality Assurance)

[c4-judge]

alex-ppg marked the issue as grade-c

[trachevgeorgi]

Disagree with QA. This is a well-known issue in auction contracts and as we can see here it was acknowledged as a valid Medium issue on a recent code4rena contest:
code-423n4/2023-06-stader-findings#70.
Also, here is a possible scenario, where a user can unfairly win an auction:
1/ User A wants to bid on an auction, they have evaluated the NFT at not more than 10ETH, so this will be their bidding limit
2/ Therefore, they bid 5ETH at first
3/ No other user outbids them except at the last possible block, where User B bids 5ETH + 1 wei
4/ In a normal auction User A would be able to outbid them but as it is the last block they lose the auction unfairly, even though they were willing to spend 5 more ETH
5/ This brings losses to both User A and the protocol, as User A lost the auction unfairly and the protocol could have sold the NFT for 5 more ETH
Resolving the issue would require increasing the end time of the auction after every bid. This would improve user experience and bring in more profits for the protocol.

[alex-ppg]

Hey @trachevgeorgi, thanks for contributing to the PJQA process! I am familiar with the relevant ruling and have elaborated on the primary issue this submission is a duplicate of. Please let me know if there is any further clarification you require.