Any user can win an auction with just 1 WEI by canceling a large bid before an auction ends #1420
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1323
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Comments
c4-submissions
added
3 (High Risk)
|
141345 marked the issue as duplicate of #962 |
|
alex-ppg marked the issue as not a duplicate |
|
alex-ppg marked the issue as duplicate of #1784 |
|
alex-ppg marked the issue as duplicate of #1323 |
|
alex-ppg marked the issue as partial-25 |
c4-judge
added
partial-25
|
alex-ppg marked the issue as satisfactory |
|
alex-ppg marked the issue as partial-25 |
c4-judge
added
partial-25
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L134-L143
Vulnerability details
Impact
The
cancelBidfunction inAuctionDemo.solallows any bidder to refund a previous bid of theirs if an auction has not yet ended. This, however, opens the opportunity for a malicious user to win any auction at a price as low as 1 WEI.As a bid can be canceled right before an auction ends, a bidder can front-run any other bids in order to be the first one to have bidded on an auction. They would use this to first make a bid of 1 WEI and then make another much larger bid, with a significantly greater value than the expected price of the NFT. During the auction period, no other bidder would have an incentive to bid on that auction as the token would be overpriced. Finally, at the last block of the auction period they would cancel their large bid, making sure no one else can outbid them in that block by another MEV attack, buying the token at just 1 WEI.
P.S. The attacker could also make the bid of 1 WEI right after canceling, instead of right before the larger bid.
Proof of Concept
Here is a likely scenario:
1/ An auction is started on an NFT from a collection with an average price of 1 ETH for a token.
2/ Malicious user frontruns any other transaction and immediately bids 1 WEI, followed by a second transaction of 10 ETH.
3/ Other bidders do not attempt to outbid the highest bid, as the NFT would be greatly overpriced.
4/ The auction is about to finish and the attacker performs the final part of the exploit.
Tools Used
Manual review
Recommended Mitigation Steps
Perhaps one possible mitigation would be to not allow the highest bidder to cancel their bid.
Assessed type
MEV
The text was updated successfully, but these errors were encountered: