trust1995
commented
2 years ago Dup of #164 , same warden.
Closed code423n4 closed 2 years ago
trust1995
commented
2 years ago Dup of #164 , same warden.
0xean
commented
2 years ago using #164 as wardens report for
c4-judge
commented
2 years ago 0xean marked the issue as nullified
Lines of code
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L391-L410 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L238
Vulnerability details
Impact
The SizeSealed contract's cancelAuction() function can be called after auction has been finalized, thereby allowing the seller to withdraw both quoteToken during finalization and baseToken after finalization.
This is possible by bypassing the
if (a.data.lowestQuote != type(uint128).max)statement by allowinga.data.lowestQuoteto be set totype(uint128).maxduring the finalize() call whereclearingQuoteandclearingBaseare user controlled. With the control of these arguments in the clearing price calculation during finalize(), the seller can manipulate the finaldata.previousQuotePerBasevalue by using a different address to place the last bid such that the bid's quoteAmount would pass all checks.With all this inputs provided, it would be possible for a seller to finalize the auction, receive quoteTokens for the auction, then call
cancelAuction()to receive back the baseTokens deposited for the auction, leaving bidders rugged.Proof of Concept
clearingQuoteset to type(uint128).max andclearingBaseset to an appropriate number.a.data.lowestQuoteis set totype(uint128).max, the if-statement is bypassed and Alice receives back the baseToken she deposited for the auction.Tools Used
Manual review
Recommended Mitigation Steps
Apply a logic that checks the Auction State, the
atStatemodifier could be applied to ensure the auction is in the AcceptingBids state for the call.