Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using endtime for order cancelation deadline of gnosis auction could lead to bait and switch bid tactics #200

Open
c4-bot-1 opened this issue Aug 19, 2024 · 0 comments
Open

Using endtime for order cancelation deadline of gnosis auction could lead to bait and switch bid tactics #200

c4-bot-1 opened this issue Aug 19, 2024 · 0 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_primary AI based primary recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-1
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/trading/GnosisTrade.sol#L84-L157

Vulnerability details

Impact

Allowing users to cancel orders last moment can lead to bait and switch bids designed to obtain assets below market value

Proof of Concept

GnosisTrade.sol#L84-L157

function init(
    IBroker broker_,
    address origin_,
    IGnosis gnosis_,
    uint48 batchAuctionLength,
    TradeRequest calldata req
) external stateTransition(TradeStatus.NOT_STARTED, TradeStatus.OPEN) {

    ...

    broker = broker_;
    origin = origin_;
    gnosis = gnosis_;
    endTime = uint48(block.timestamp) + batchAuctionLength;

    ...

    auctionId = gnosis.initiateAuction(
        sell,
        buy,
        endTime, <- @audit orderCancellationEndDate
        endTime, <- @audit auctionEndDate
        _sellAmount,
        minBuyAmount,
        minBuyAmtPerOrder,
        0,
        false,
        address(0),
        new bytes(0)
    );
}

Above we see that when creating an auction, both the auction end and order cancellation end are set to the same value.

EasyAuction.sol#L152-L227

function initiateAuction(
    IERC20 _auctioningToken,
    IERC20 _biddingToken,
    uint256 orderCancellationEndDate,
    uint256 auctionEndDate,
    uint96 _auctionedSellAmount,
    uint96 _minBuyAmount,
    uint256 minimumBiddingAmountPerOrder,
    uint256 minFundingThreshold,
    bool isAtomicClosureAllowed,
    address accessManagerContract,
    bytes memory accessManagerContractData
) public returns (uint256) {

    ...

    auctionData[auctionCounter] = AuctionData(
        _auctioningToken,
        _biddingToken,
        orderCancellationEndDate,
        auctionEndDate,
        IterableOrderedOrderSet.encodeOrder(
            userId,
            _minBuyAmount,
            _auctionedSellAmount
        ),
        minimumBiddingAmountPerOrder,
        0,
        IterableOrderedOrderSet.QUEUE_START,
        bytes32(0),
        0,
        false,
        isAtomicClosureAllowed,
        feeNumerator,
        minFundingThreshold
    );

    ...
}

We see from the gnosis auction contract that these unmodified time values are used directly for the auction. The result is that orders can be canceled up the the block before it is finalized. This opens up the ability to carry out a bait and switch MEV tactic on the auction.

  1. Bid entire auction amount with price 10% higher than market value at start of auction
  2. Other parties see that all tokens are "sold" for a price much higher than they are willing to pay. Since bidding requires locking tokens, rational actors won't place lower bids
  3. The block before it settles, cancel the high order and replace it with a bid at the minimum price

This would work particularly well as gnosis auctions can't be utilized by searchers/bots so a majority of bidders would be assumed to be humans.

Tools Used

Manual review

Recommended Mitigation Steps

orderCancellationEndDate should be set to a few minutes before the end of the auction, allowing for others to see the bait and switch and bid accordingly.

Assessed type

MEV
@c4-bot-1 c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 19, 2024
c4-bot-2 added a commit that referenced this issue Aug 19, 2024
@c4-bot-2
0x52 issue #200
29564f9
@c4-bot-12 c4-bot-12 added the 🤖_primary AI based primary recommendation label Aug 19, 2024
howlbot-integration bot added a commit that referenced this issue Aug 20, 2024
@howlbot-integration
0x52 update issue #200
a591d58
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_primary AI based primary recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c4-bot-1 @c4-bot-12