AuctionHouse Whales can win large auctions via block stuffing

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L144-L152
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/test/proposals/gips/GIP_0.sol#L175-L179

Vulnerability details

Impact

Whales (accounts with significant cryptocurrency holdings) can exploit the current auction mechanics to guarantee profits through block stuffing.

This is particularly feasible due to the short duration of auctions, allowing these entities to manipulate auction outcomes in their favor.

Proof of Concept

The protocol uses a Dutch auction format with two phases:

• First Phase: Bidders must pay the full debt amount. The collateral percentage starts at 0% and increases with each new block until the auction's midpoint.
• Second Phase: The protocol offers the full collateral and decreases the owed debt by a percentage in each new block, reaching 0% at auction's end. This implies that a bidder could eventually receive the collateral for free.

Bidders are disincentivized to participate in the first phase, as it generally results in a net loss unless there are force majeure market conditions.

Whales can use a block stuffing attack to win large auctions and acquire collateral at significantly reduced prices.

Example scenario:

1. Alice has the following bad debt which is auctioned off:
   • Collateral: 2,000,000 USDC
   • Debt: 1,000 WETH (1 WETH = 2,000 USDC)
2. There are no bidders in the first phase of the auction since this would result in a loss for the bidder.
3. The auction reaches its midpoint. Collateral cost reduces by ~1.14% every block. This is because the second phase is 1150 sec. (as per the GIP_0.sol deployment script), i.e. 88 blocks on Mainnet. The decay rate is thus 100% / 88 ~ 1.14%
4. At the auction's midpoint, Bob executes block stuffing attack. To make sure his attack would succeed, he uses a gas price of 250 Gwei.
5. After 88 blocks, Bob binds in the final block and wins 2,000,000 USDC at 0 ETH cost.

The attack cost is:
$$
88\ blocks \times 30M\ gas\ \times 250\ Gwei = 66,000,000,000\ Gwei = 660\ ETH ~= 1.5M\ USDC
$$

Thus, Bob has made a profit of 500,000 USDC.

This strategy, while requiring substantial funds, is a feasible and potentially lucrative attack vector.

The severity is set to Medium given its low likelihood but high impact.

Tools Used

Manual review

Recommended Mitigation Steps

To mitigate this vulnerability, it is recommended to extend the auction duration. Longer auctions would increase the cost and complexity of block stuffing attacks, reducing the likelihood of such exploits.

Assessed type

Other

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #685

[c4-judge]

Trumpero changed the severity to QA (Quality Assurance)

[c4-judge]

Trumpero marked the issue as grade-b

[c4-judge]

This previously downgraded issue has been upgraded by Trumpero

[c4-judge]

Trumpero marked the issue as satisfactory