search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

Seller do not have any punishment for not finalizing auction #173

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L177-L330

Vulnerability details

Impact

Currently seller can just not finalize auction if he wants. Then all bidders lost gas for bidding and bid canceling. Seller can do this as many times as he wants.

Proof of Concept

If seller do not reveal and finalize auction during 24 hours after the end then bidders can cancel their bids and auction is considered as failed.

Seller can do this as many times as he wish. And i believe that this is unfair to the bidders. When auction is created then seller provides reserveQuotePerBase param which means what is the minimum amount that user would like to sell for. As long as the condition is met by any bid, i guess that auction should be considered as successfull.

But currently, even if his reserveQuotePerBase value is met, seller still can do not finalize auction. This means that all bidders will pay for the gas and do not buy anything.

Tools Used

VsCode

Recommended Mitigation Steps

Some punishment should be considered. For example slashing 10% of base tokens and sending them to bidders.

c4-judge commented 2 years ago

0xean marked the issue as duplicate

c4-judge commented 1 year ago

0xean marked the issue as satisfactory

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-11-size-findings/issues/174