a16z / auction-zoo Goto Github PK

Hi, thanks for @sbacha's sharing, I came across this repository.

For this line

    function commitBid(
        address tokenContract, 
        uint256 tokenId, 
        bytes20 commitment
    ) ... { ... }

I like to get some feedback about thoughts on considering also supporting ERC5732 Commit Interface

    function commitFrom(
        address _from,
        bytes32 _commitment,
        bytes calldata _extraData)
    payable external returns(uint256 timePoint) {
             ...
    }

For example, it can be done by adding

    function commitFrom(
        address _from,
        bytes32 _commitment,
        bytes calldata _extraData)
    payable external returns(uint256 timePoint) {
             address tokenContract = _extraData[0:20];
             uint256 tokenId = _extraData[20:52];
             _commitBid(address tokenContract, uint256 tokenId, bytes20 commitment);
    }

The benefit is in the future if we want to expand this OverCollateralizedAuction to other type of assets, e.g.
ERC1155, we could also add amount

    function commitFrom(
        address _from,
        bytes32 _commitment,
        bytes calldata _extraData)
    payable external returns(uint256 timePoint) {
             address tokenContract = _extraData[0:20];
             address tokenId = _extraData[20:52];
             uint256 amount = _extraData[52:84];  // Newline to support ERC1155
             /*a newer version of*/ ... _commitBidERC1155(address tokenContract, uint256 tokenId, bytes20 commitment);
    }

And thus mobile or web clients who have been built to commitFrom would be able to support this change with backward compatibility.

Thanks!

Arcology is an EVM compatible L1 that has ability to process multiple transactions simultaneously. We have built Solidity APIs to help contract developers take full use of our parallel design. We have successfully parallelized some applications like CryptoKitties and DSToken using these APIs. We are currently working on parallelizing collateralized auction.

Parallelization
Parallelization means rewriting the code so that the system can process multiple transactions calling the same interface of the same contract in full parallel without having any problem.

Source Code
The source code is here. Please let me know if you have any questions or comments. Will let you know once it is done.

nevermind I missed transferFrom call which would revert. Time for some sleep I guess.

Cool repo. In the case of (create2-based) SneakyAuction, at auction end you could potentially deploy preset bytecode to transfer/sweep an ERC20 to the highest bidder, and similarly for withdrawing to non-winning bids back to the original account. Is it possible/did you consider this and what if any difficulties did you foresee?

I checked and resolved my earlier (unedited) issue.

Just adding quick (other) note:
When running on goerli testnet - ethereumjs throws error "EIP1559 not supported" when genereting proofs. So need to update common parameter to add EIP1599 support.

At the moment, bid commits are truncated to 160 bits: bytes20 bidHash = bytes20(keccak256(abi.encode(nonce, bidValue)));
Bidders control their nonce and bidValue and thus, it is possible to find two bids (one with a large amount and another with a small amount) with the same hash by just offchain retrying/playing with the nonce value.

Then, based on the 2nd highest bid, they can decide if they open the commitment with the large amount (to win the auction item) or the small amount (to get refunded).

Although it's an expensive attack, it's theoretically feasible with today's CPU power. Unfortunately, the attack is also reusable. The current smart-contract design does not apply any domain separation flag in the hash-inputs, which implies that an adversary can find one such collision and reuse it in different auctions. Well, if one reuses commitments between auctions, others can spot this if they do analysis in past transactions for matching commitments, but that's a detail. Including the auctionID in the hash inputs would be preferable as a hygiene solution to avoid such edge cases.

PS: obviously for the attack to make sense, one should consider the energy + resources cost of a 2^80 collision, thus it would only matter in practice for very expensive auctioned items (or reuse many times), but still; cryptographically, the advertised security of the current auction contract is considered to be @80bits, which is not ideal.

To sum up: a straightforward proposal is
a) do not truncate the commitment hashes.
b) add auctionID as hash input to the commitment derivation, to avoid reusing the same commit in different auctions.