search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

Locking the bidder's fund even after the reveal period #190

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L426

Vulnerability details

Impact

If an auction is not revealed by the seller, bidders can not refund/withdraw their funds, because of the modifier atState(idToAuction[auctionId], States.Finalized):

modifier atState(Auction storage a, States _state) {
        if (block.timestamp < a.timings.startTimestamp) {
            if (_state != States.Created) revert InvalidState();
        } else if (block.timestamp < a.timings.endTimestamp) {
            if (_state != States.AcceptingBids) revert InvalidState();
        } else if (a.data.lowestQuote != type(uint128).max) {
            if (_state != States.Finalized) revert InvalidState();
        } else if (block.timestamp <= a.timings.endTimestamp + 24 hours) {
            if (_state != States.RevealPeriod) revert InvalidState();
        } else if (block.timestamp > a.timings.endTimestamp + 24 hours) {
            if (_state != States.Voided) revert InvalidState();
        } else {
            revert();
        }
        _;
    }

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L336 https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L358

Proof of Concept

Suppose, a seller creates an auction, and after the endTimestamp, the seller does not call reveal, so the bidder's deposit will be locked, because the bidders can withdraw/refund only if it is in the finalized state. The condition to be in finalized state is to have a.data.lowestQuote != type(uint128).max. Moreover, a.data.lowestQuote will set when the seller calls reveal/finalize function. https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L238

The worst situation is that the seller (malicious user) creates an auction for 100 USDC, and receives bids with accumulated value more than 100 USDC (for example, bidderA bids 99 DAI, bidderB bids 98 DAI, bidderC 97 DAI. In this case, 294 DAI is locked in the protocol by the bidders). If the seller does not reveal/finalize the auction after the reveal period endTimestamp + 24 hours, bidder's fund will be locked until the seller cancel the auction. Of course, the seller's fund will be locked, but the impact on the bidders will be much higher.

Tools Used

Recommended Mitigation Steps

There should be a mechanism that if after the reveal period, the auction is still not finalized, anyone can cancel the auction, so bidders' funds will not be locked in this situation.

trust1995 commented 2 years ago

They can still call cancelBid to get their money back.

c4-judge commented 2 years ago

0xean marked the issue as unsatisfactory: Invalid