ERC20 tokens that are either deflationary or re-basing down could have their respective balance change. The balance could become insufficient at the time of withdraw(), refund() or cancel() to the bidders whose funds will be locked due to DOS. The way to take the fund out is to send more quoteToken into the contract which is impractical, causing fund loss to the protocol. And there is no guarantee that until the end time the balance would stay above the needed amount, hence, the lock and loss issues persist.
Proof of Concept
The problem originates here where the contract receives lower than expected amount of tokens from the bidders:
Transferring quoteToken to the bidders in the beginning is going to go through, but as time goes on, the contract balance gets depleted and starts to fail all subsequent transfers. Consequently, withdraw(), refund() or cancel() will revert, locking bidders' fund due to DOS. The situation will transpire whether or not the seller chooses to reveal the private key.
Lines of code
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L351 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L439
Vulnerability details
Impact
ERC20 tokens that are either deflationary or re-basing down could have their respective balance change. The balance could become insufficient at the time of
withdraw()
,refund()
orcancel()
to the bidders whose funds will be locked due to DOS. The way to take the fund out is to send morequoteToken
into the contract which is impractical, causing fund loss to the protocol. And there is no guarantee that until the end time the balance would stay above the needed amount, hence, the lock and loss issues persist.Proof of Concept
The problem originates here where the contract receives lower than expected amount of tokens from the bidders:
Line 163
Transferring
quoteToken
to the bidders in the beginning is going to go through, but as time goes on, the contract balance gets depleted and starts to fail all subsequent transfers. Consequently,withdraw()
,refund()
orcancel()
will revert, locking bidders' fund due to DOS. The situation will transpire whether or not the seller chooses to reveal the private key.Line 351
Line 381
Line 439
Recommended Mitigation Steps
Disallow variable balance tokens of this nature by implementing the same
baseToken
sanity check on thequoteToken
.Line 163 could be refactored to: