OlaHamid - DOS Attack on getActiveAuctionOrders Function

[sherlock-admin2]

OlaHamid

Medium

DOS Attack on getActiveAuctionOrders Function

SUMMARY

The getActiveAuctionOrders function is vulnerable to a Denial of Service (DOS) attack due to a potential gas exhaustion issue. An attacker can exploit the offset and limit parameters to manipulate the function in such a way that it becomes inefficient or fails to process other legitimate requests.

ROOT CAUSE

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/auctions/AuctionFactory.sol#L130
The root cause of this vulnerability lies in the logic of the getActiveAuctionOrders function, specifically the combination of the offset and limit parameters used to determine the range of orders fetched. If an attacker provides a large offset value, it can cause the loop in the function to process an excessive number of auction orders, potentially consuming excessive gas.

• The function calculates the length of orders to fetch, subtracts the offset from the limit, and then proceeds to loop through the resulting orders.
• If an attacker sets a high value for offset (e.g., offset = 1000) while the total activeOrdersCount is low, the function would attempt to fetch orders that don't exist, resulting in wasted gas.
• Conversely, if the offset is larger than the total number of orders, the loop will end up doing minimal work, but it could still impact other users who are trying to fetch data at the same time by causing delays in processing.

Internal Precondition:

• The function assumes that the offset and limit parameters will be provided by the caller without any restrictions or checks on their validity.
• The activeOrdersCount variable should accurately reflect the current number of active auction orders. If this count is incorrect or manipulated, the function's behavior could be unpredictable.

External Precondition:

• The contract allows anyone to call the getActiveAuctionOrders function without any restrictions, meaning it is open to malicious users.
• An attacker must know the number of active auction orders (activeOrdersCount) to construct an effective attack.

ATTACK PATH

1. Step 1: An attacker monitors the activeOrdersCount and determines that the contract has a large number of active orders (e.g., 1000 orders).
2. Step 2: The attacker calls the getActiveAuctionOrders function with a large offset (e.g., offset = 1000) and a minimal limit (e.g., limit = 1).
3. Step 3: The function will attempt to process a large number of auction orders starting from the provided offset, but many of the orders may not exist, causing the contract to process non-existent data and consume excessive gas.
4. Step 4: This results in failed or delayed execution of the function, causing a DOS (Denial of Service) for legitimate users, especially if the attacker calls this function frequently.

This contract would allow the attacker to repeatedly invoke the vulnerable function with the offset set to a high value, causing gas exhaustion and potentially preventing legitimate users from interacting with the auction.

MITIGATION

To mitigate this DOS vulnerability, the following changes should be implemented:

1. Limit the offset range: Ensure that the offset parameter cannot exceed a reasonable range (e.g., less than the total number of active auction orders). This can be done by enforcing a check on the offset value:

   require(offset < activeOrdersCount, "Offset exceeds active orders count.");

batch processing.