trust1995
commented
2 years ago This is a risk bidders take. They can reclaim funds after the reveal window.
Closed code423n4 closed 2 years ago
trust1995
commented
2 years ago This is a risk bidders take. They can reclaim funds after the reveal window.
c4-judge
commented
2 years ago 0xean marked the issue as duplicate
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
c4-judge
commented
1 year ago
Lines of code
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L217
Vulnerability details
Impact
If the auctioneer decides not to reveal the private key, then bidders will waste their time and gas participating in the sealed bid auction.
Proof of Concept
There is no way to force auctioneers to call reveal or finalize their auction. If so, the bidder can call cancelBid and remove their funds after 24 hours since the auction ended since block.timestamp is greater than the end of the auction and block.timestamp is greater than a.timings.endTimestamp + 24 hours.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider putting a penalty if auctioner doesn't call finalize by slashing some of their baseTokens when they call cancelAuction to retrieve their baseTokens.