Lone Carob Worm
Medium
Missing access control in StreamEscrow.forwardAllAndCreateStream allows frontrunning of auction settlement, preventing NFT transfer to winning bidder https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouseV3.sol#L341
In NounsAuctionHouseV3.sol:_settleAuction() calls StreamEscrow.forwardAllAndCreateStream which lacks auction-only access control, allowing frontrunning attacks
- Auction has ended with winning bid
- Attacker needs to be approved operator or owner of the noun
- Attacker needs to be in allowedToCreateStream mapping
No response
- Auction ends with winning bid
_settleAuction()is called- Attacker front-runs the settlement transaction by calling
forwardAllAndCreateStreamwith same nounId - Original settlement transaction will revert on 'stream active' check
- Winning bidder cannot receive their NFT
The winning bidder cannot receive their NFT, effectively DOSing the auction settlement process and potentially locking funds
function testFrontrunningAttack() public {
// Setup
address attacker = address(0x1);
uint256 nounId = 1;
// Give attacker required permissions
streamEscrow.setAllowedToCreateStream(attacker, true);
nouns.approve(attacker, nounId);
// Auction ends
// Attacker frontruns settlement
vm.prank(attacker);
streamEscrow.forwardAllAndCreateStream{value: 1 ether}(nounId, 5);
// Settlement will revert
vm.expectRevert("stream active");
auctionHouse._settleAuction();
}modifier onlyAuction() {
require(msg.sender == address(auction), "only auction");
_;
}
function forwardAllAndCreateStream(uint256 nounId, uint16 streamLengthInTicks)
external
payable
onlyAuction
{
// ... existing code
}