Perfect Yellow Fox
High
Vulnerability Details Despite the contract implementing a pause functionality, the createBid function lacks the whenNotPaused modifier, allowing users to continue placing bids even when the contract is explicitly paused.
NounAuctionHouseV2 and NounAuctionHouseV3 Impact Potential for continued bidding during critical security reviews
Proof of Concept
-
Scenario: Nouns DAO detects a critical vulnerability and activates the pause mechanism to halt auctions.
-
Attack Pathway: A malicious actor bypasses the pause mechanism and continues bidding during the paused state by:
- Submitting bids when auctions shouldn't start.
- Manipulating auction end times.
- Circumventing the intended security freeze.
- Exploitation Steps:
-
Identify the paused contract.
- Use a pre-funded Ethereum wallet.
- Programmatically submit bids.
- Exploit the lack of pause validation to manipulate auctions.
Recommended Mitigation Add the whenNotPaused modifier to both createBid() function overloads
- function createBid(uint256 nounId) external payable override {
+ function createBid(uint256 nounId) external payable override whenNotPaused {
createBid(nounId, 0);
}
- function createBid(uint256 nounId, uint32 clientId) public payable override {
+ function createBid(uint256 nounId, uint32 clientId) public payable override whenNotPaused {
// Existing bid creation logic
}