Electric Cinnabar Barbel
Medium
The settleCurrentAndCreateNewAuction function in NounsAuctionHouseV2 and V3 lacks proper access control, allowing any external actor to create new auctions when the contract is not paused. This contradicts the protocol team's assumption that "only NounsAuctionHouse is authorized to create stream/auctions.” settleCurrentAndCreateNewAuction
function settleCurrentAndCreateNewAuction() external override whenNotPaused {
_settleAuction();
_createAuction();
}The function settleCurrentAndCreateNewAuction can be called by any external address when the contract is not paused. This function:
- Settles the current auction
- Creates a new auction
- Only checks for the whenNotPaused modifier
The lack of access control contradicts the protocol's security assumptions and could lead to unauthorized auction creation.
Unauthorized addresses can create new auctions
Add proper access control using one of these approaches:
Dedicated Role-Based Access:
address public auctionCreator;
modifier onlyAuctionCreator() {
require(msg.sender == auctionCreator, "Not authorized to create auctions");
_;
}
function settleCurrentAndCreateNewAuction() external
override
whenNotPaused
onlyAuctionCreator
{
_settleAuction();
_createAuction();
}OpenZeppelin's Role-Based Access Control:
bytes32 public constant AUCTION_CREATOR_ROLE = keccak256("AUCTION_CREATOR_ROLE");
function settleCurrentAndCreateNewAuction() external
override
whenNotPaused
onlyRole(AUCTION_CREATOR_ROLE)
{
_settleAuction();
_createAuction();
}