rsam_eth - Possible greifing of auctions at no cost if immediateTreasuryBPs is 0

[sherlock-admin4]

rsam_eth

Medium

Possible greifing of auctions at no cost if immediateTreasuryBPs is 0

Summary

The immediateTreasuryBPs represents the percentage of a winning bid that is transferred immediately to the treasury after an auction settlement. However, if this percentage is set to zero, it creates a vulnerability that allows an attacker to place an inflated bid, win the auction, then withdraw their ETH using streamEscrow::cancelStream. The attacker can then place another high bid in the subsequent auction, effectively preventing smaller investors from ever having a chance to win a Noun. This exploit could lead to repeated manipulation, with the attacker cycling through auctions without risking any of their own funds.

Root Cause

The NounsAuctionHouseV3::_settleAuction function calculates the portion of the winning bid that is sent to the treasury immediately, based on the immediateTreasuryBPs value:
https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouseV3.sol#L332-L338

        auctionStorage.settled = true;
        uint256 amountToSendTreasury = (_auction.amount * immediateTreasuryBPs) / 10_000;
        uint256 amountToStream = _auction.amount - amountToSendTreasury;

        if (amountToSendTreasury > 0) {
            _safeTransferETHWithFallback(owner(), amountToSendTreasury);
        }

and locks the rest of bid in the streamEscrow:

        if (amountToStream > 0) {
            streamEscrow.forwardAllAndCreateStream{ value: amountToStream }(_auction.nounId, streamLengthInTicks);

If immediateTreasuryBPs is zero, the entire winning bid amount is locked in the streamEscrow, and the funds are not immediately sent to the treasury. After the new stream is created, the noun owner can cancel the stream and withdraw the ETH using streamEscrow::cancelStream:
https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/StreamEscrow.sol#L167-L186

Internal pre-conditions

• immediateTreasuryBPs becomes zero after a DAO proposal

External pre-conditions

No response

Attack Path

1- A proposal is executed, setting immediateTreasuryBPs to zero.
2- An attacker exploits this by placing a high bid (e.g., 100 ETH) on the current auction.
3- The attacker wins the auction by calling settleCurrentAndCreateNewAuction, then immediately calls streamEscrow::cancelStream to withdraw the ETH.
4- The attacker waits for the next auction and repeats the process by placing the withdrawn ETH as the highest bid.
This cycle continues until someone else places a higher bid, in which case the attacker withdraws their funds and may continue the attack with an even higher bid.

Impact

This vulnerability effectively prevents smaller investors from participating in auctions, creating a market where attackers can repeatedly place high bids without risking their own funds. This leads to an unfair auction process, where legitimate participants have little to no chance of winning a Noun, as the attacker controls the outcome of every auction.

PoC

No response

Mitigation

Currently, this attack is not possible since immediateTreasuryBPs is zero. However, if future DAO proposals decrease this value, the attack becomes feasible with minimal cost. A potential mitigation would be to implement a minimum threshold for immediateTreasuryBPs.