Extra payments for an auction gets stucks

[code423n4]

Handle

0x0x0x

Vulnerability details

If someone calls settleAuction and inputs more tokens than the person should, tokens get stuck. To avoid this, it would be better to compute inputTokens/inputWeights and outputTokens/outputWeights automatically, since they can be known beforehand. When a bonder sends a settleAuction request, any change to conditions might lead them to lose their funds(or revert). Furthermore, this is a serious attack vector and for example web hackers can abuse it, without even communicating with a different contract.

Mitigation step

Automate the calculation of inputTokens/inputWeights and outputTokens/outputWeights or add a mechanism to calculate excess amounts for everything and transfer them back to the sender.

[frank-beard]

this is correct however we are not as concerned with having more tokens than is needed and future rebalances can correct this issue. i would consider this as a low/medium risk as perhaps a naive publisher could not recognize this and create issues when rebalancing.

[0xleastwood]

I don't think there will be any changes to the basket's ibRatio when an auction is ongoing. Basket.sol does not allow for such changes and Basket.handleFees() is the only function which updates ibRatio. At best, I think this is a low severity issue as automatically calculating the correct token amounts prevents bonded users from making mistakes upon calling settleAuction().