frank-beard
commented
2 years ago not an exploit
Open code423n4 opened 2 years ago
frank-beard
commented
2 years ago not an exploit
GalloDaSballo
commented
2 years ago Bounties not being public is an informational finding, as such non-critical
Handle
0xRajeev
Vulnerability details
Impact
Bounties are critical to incentivize users to settle auctions of rebalancing indices but there is no interface to determine the number and value of existing bounties programmatically besides watching offchain events for bounties added/claimed.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L151
Tools Used
Manual Analysis
Recommended Mitigation Steps
Recommend adding functions to calculate and return bounty tokens and amounts.