code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L288

Vulnerability details

Impact

In function createAuction(), it has checked for tax tokens when transferring baseToken from seller to contract

// Passes https://github.com/transmissions11/solmate/blob/main/src/utils/SafeTransferLib.sol#L9
// Transfer base tokens to auction contract and check for tax tokens
uint256 balanceBeforeTransfer = ERC20(auctionParams.baseToken).balanceOf(address(this));

SafeTransferLib.safeTransferFrom(
    ERC20(auctionParams.baseToken), msg.sender, address(this), auctionParams.totalBaseAmount
);

uint256 balanceAfterTransfer = ERC20(auctionParams.baseToken).balanceOf(address(this));
if (balanceAfterTransfer - balanceBeforeTransfer != auctionParams.totalBaseAmount) {
    revert UnexpectedBalanceChange();
}

However, in function bid(), similar check is lacking for quoteToken. It will create a problem when seller cannot finalize the auction and bidder cannot refund cause actual balance is less than expected.

Proof of Concept

It did not check for tax tokens in bid() function

SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);

emit Bid(
    msg.sender, auctionId, bidIndex, quoteAmount, commitment, pubKey, encryptedMessage, encryptedPrivateKey
);

Tools Used

Manual Review

Recommended Mitigation Steps

Consider adding similar check for pre and after balance of quoteToken like in the function createAuction()

c4-judge commented 2 years ago

0xean marked the issue as duplicate

c4-judge commented 1 year ago

0xean marked the issue as satisfactory

code-423n4 / 2022-11-size-findings