Skip to content

Latest commit

 

History

History
89 lines (55 loc) · 3.32 KB

096.md

File metadata and controls

89 lines (55 loc) · 3.32 KB

Steep Velvet Guppy

Medium

When auction is nearing it end, it will not extend as expected when a user createBid

Summary

When a bidder createBid inside both NounsAuctionHouseV2 and NounsAuctionHouseV3 when the time remaning of the auction is less than _timeBuffer and a user bids on an auction, it normally needs to extend it with the timeBuffer set by the admin.

However this does not happen as the endTime is not extended with the timeBuffer, but the current bidder's createBid block.timestamp is extended with the timeBuffer.

Which will cause the auction endTime to be set much earlier than the expected timeBuffer.

https://github.com/sherlock-audit/2024-11-nounsdao/blob/8b6fb94f103134e751cf016e5c3f4185be89bb49/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouseV2.sol#L150-#L159

https://github.com/sherlock-audit/2024-11-nounsdao/blob/8b6fb94f103134e751cf016e5c3f4185be89bb49/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouseV3.sol

        // Extend the auction if the bid was received within `timeBuffer` of the auction end time
        bool extended = _auction.endTime - block.timestamp < _timeBuffer;

        emit AuctionBid(_auction.nounId, msg.sender, msg.value, extended);
        if (clientId > 0) emit AuctionBidWithClientId(_auction.nounId, msg.value, clientId);

        if (extended) {
            auctionStorage.endTime = _auction.endTime = uint40(block.timestamp + _timeBuffer);
            emit AuctionExtended(_auction.nounId, _auction.endTime);
        }
        ```
        
 block.timestamp is added to the _timeBuffer instead of the auction end time.
 
 ```solidity
 auctionStorage.endTime = _auction.endTime = uint40(block.timestamp + _timeBuffer);

Root Cause

In both NounsAuctionHouseV2.sol and NounsAuctionHouseV3.sol, when a bid is created with CreateBid and the time remaining of the auction is less than the time_buffer.

It will use the block.timestamp instead of the auction end time,

Lets assume: _timeBuffer = 15 minutes. Contest ending in 10 minutes. User submits a bid 10 minutes before the end of the auction.

  bool extended = _auction.endTime - block.timestamp < _timeBuffer;

This will be true as there are less than 15 minutes remaning if you substract _auction.endTime with block.timestamp as the contest is ending in 10 minutes in this example.

      if (extended) {
          auctionStorage.endTime = _auction.endTime = uint40(block.timestamp + _timeBuffer);
          emit AuctionExtended(_auction.nounId, _auction.endTime);
      }

Now auctionsStorage.endTime will be changed into block.timestamp + _timeBuffer, which will be 10 minutes before the auction is ending + 15 mins.

Which will only add 5 minutes to the endTime instead of the 15 minutes which is expected, the issue arises with adding the block.timestamp with the _timeBuffer, instead of the adding the _auction.endTime with the _timeBuffer.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

  • The auctions will not get extended by the timebuffer as expected.

PoC

No response

Mitigation

Add the timeBuffer on top of the auction.endTime instead of the block.timestamp, so you can make sure the endTime is extended correctly with the _timeBuffer