The call to mulDivDown on L377 will revert if the third argument (denominador) is the value zero. See Solmate implementation.
It's possible for a.data.lowestBase to receive the value zero, which will prevent the transfers from L381 and L384.
Impact
If the transfers from L381 and L384 cannot the executed, for an auction with a.data.lowestBase set to zero, calling withdraw() will revert, preventing the withdrawal.
Recommended Mitigation Steps
Only call mulDivDown if a.data.lowerBase is not zero. E.g.
diff --git a/src/SizeSealed.sol b/src/SizeSealed.sol
--- a/src/SizeSealed.sol
+++ b/src/SizeSealed.sol
// Refund unfilled quoteAmount on first withdraw
- if (b.quoteAmount != 0) {
+ if (b.quoteAmount != 0 && a.data.lowestBase != 0) {
uint256 quoteBought = FixedPointMathLib.mulDivDown(baseAmount, a.data.lowestQuote, a.data.lowestBase);
Alternatively, if a auction shoudn't be finalized with a.data.lowestBase set to zero, consider adding a validation on SizeSealed.finalize(). E.g.
Lines of code
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L377 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L384
Vulnerability details
Proof of Concept
The call to
mulDivDown
on L377 will revert if the third argument (denominador) is the value zero. See Solmate implementation.It's possible for
a.data.lowestBase
to receive the value zero, which will prevent the transfers from L381 and L384.Impact
If the transfers from L381 and L384 cannot the executed, for an auction with
a.data.lowestBase
set to zero, callingwithdraw()
will revert, preventing the withdrawal.Recommended Mitigation Steps
Only call
mulDivDown
ifa.data.lowerBase
is not zero. E.g.Alternatively, if a auction shoudn't be finalized with
a.data.lowestBase
set to zero, consider adding a validation onSizeSealed.finalize()
. E.g.