Hello Fellow DAO members,
This post is an announcement of a vulnerability found and resolved in the auction house contract that was brought to the attention of DAO Council.
Funds safu. DAO Council suspended RARE payments while a fixed was implemented. The fix went live September 4th, 2023 11:43:35 PM +UTC which additionally re-instated RARE payments.
On August 19th, the existence of a vulnerability by means of the
convertOfferToAuction function on the Auction house logic contract was brought to the DAO Council’s attention by @ayeslick.
The exploit was only viable so long RARE payments were enabled. The council temporarily suspended RARE payments until the fix went live.
The short version of the summary is that one could create an auction in RARE and then switch it to be an ETH auction and get the auction to payout in ETH.
This was possible by using a Fake NFT contract. By fake I mean an NFT contract that didn’t actually change owners when the transfer function was called. Because our auction contract escrows the NFT, it assumed that once an auction started, the NFT would be in escrow. With the Fake NFT contract, an auction in RARE could be started using the
convertOfferToAuction but still allow a new auction to be configured with the converted offer (now a bid) remaining in place.
The exploiter could configure a new auction with a different currency, in this case ETH, and then once the auction settled, the auction creator would be paid out in ETH, the amount of RARE initially put up when
convertOfferToAuction was called.
An explanation as well as a test case exist on the repository. See this Pull Request for further details.
This was fixed by:
- Preventing auctions being configured if a bid exists (i.e. it is a running auction)
- Adding a check in the
convertOfferToAuctionfrom working if there is a running or unsettled auction
- When an auction is settled, it settles referencing the currency sent with the
bidso that it only ever uses the same currency as the currency sent into the contract.
Huge thank you to Ayeslick for bringing this to our attention and through the discretion of our bug bounty program.
Another big thank you to @koloz writing the majority of the fix to get this resolved in a timely manner.