Clearwood
commented
3 years ago The auctions all have a check now that compares virtual to actual balance at the end of commitETH https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/DutchAuction.sol#L285
ghoul-sol
Handle
tensors
Vulnerability details
Impact
Samczsun has famously found this exploit in a similar auction contract from sushiswap: https://samczsun.com/two-rights-might-make-a-wrong/
The exploit uses the BoringBatachables library to delegate call a fixed amount of ETH multiple times, therby gaining multiple credit for it.
It seems like the auctions contracts still use BoringBatchables in this way an can be exploited in the same way (in the _commitEth function call through a delegate call on the same auction contract).
Can the developers confirm that the codebase has been updated since the article was written?