Open code423n4 opened 2 years ago
0xRajeev
Bounties are critical to incentivize users to settle auctions of rebalancing indices but there is no interface to determine the number and value of existing bounties programmatically besides watching offchain events for bounties added/claimed.
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L151
Manual Analysis
Recommend adding functions to calculate and return bounty tokens and amounts.
not an exploit
Bounties not being public is an informational finding, as such non-critical
Handle
0xRajeev
Vulnerability details
Impact
Bounties are critical to incentivize users to settle auctions of rebalancing indices but there is no interface to determine the number and value of existing bounties programmatically besides watching offchain events for bounties added/claimed.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L151
Tools Used
Manual Analysis
Recommended Mitigation Steps
Recommend adding functions to calculate and return bounty tokens and amounts.