Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artur - Lack of Emergency Control in Auction House Bidding Functions #173

Open
sherlock-admin3 opened this issue Nov 30, 2024 · 0 comments
Open

Artur - Lack of Emergency Control in Auction House Bidding Functions #173

sherlock-admin3 opened this issue Nov 30, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Nov 30, 2024
edited by sherlock-admin4
Loading

Artur

Medium

Lack of Emergency Control in Auction House Bidding Functions

Summary

The absence of the whenNotPaused modifier in the createBid functions will creates a vulnerability for the auction house as it allows bidding to continue even during emergencies.

Root Cause

In the NounsAuctionHouseV3 contract, the createBid functions do not implement the whenNotPaused modifier, which is essential for pausing critical functions during emergencies.

function createBid(uint256 nounId) external payable override {
    createBid(nounId, 0);
}

/**
 * @notice Create a bid for a Noun, with a given amount.
 * @param nounId id of the Noun to bid on
 * @param clientId the client which facilitates this action
 * @dev This contract only accepts payment in ETH.
 */
function createBid(uint256 nounId, uint32 clientId) public payable override {
    // Function logic here
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The auction house suffers a complete loss of control over its bidding functionality. The absence of the whenNotPaused modifier allows:

  • Bids to be placed during a known vulnerability
  • The attacker to exploit the bidding process without any immediate way to halt the activity, resulting in unauthorized manipulation of auction outcomes.

PoC

No response

Mitigation

No response
@sherlock-admin4 sherlock-admin4 changed the title Tall Clay Gerbil - Lack of Emergency Control in Auction House Bidding Functions Artur - Lack of Emergency Control in Auction House Bidding Functions Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3