search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

Some bidders can withdraw would claim moreof the baseToken when auction CliffPercent value is 1 #339

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/util/CommonTokenMath.sol#L47-L69 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L451-L464 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L370

Vulnerability details

Impact

If an auction is created with a.timings.cliffPercent set to 1 , then during withdrawal of baseTokens after auction ends, the some bidders to withdraw would claim more tokens than others of the baseToken amounts.

Proof of Concept

  1. Auction A is created with a cliffPercent of 1 and bidded for.
  2. Auction A ends and Alice is the first bidder to withdraw
  3. In the withdraw call, the baseTokensAvailable is calculated by the function tokensAvailableForWithdrawal() tokensAvailableForWithdrawal() is calculated by CommonTokenMath library https://github.com/code-423n4/2022-11-size/blob/main/src/util/CommonTokenMath.sol#L47-L69
  4. In the calculation for the return value in CommonTokenMath.tokensAvailableAtTime(), `cliffAmount is 1
  5. This allows Alice and any other caller after to receive more than usual, leaving some bidders unable to withdraw baseTokens

Tools Used

Recommended Mitigation Steps

trust1995 commented 2 years ago

Submission does not demonstrate why some would receive more than others and how this looks in practice.

c4-judge commented 2 years ago

0xean marked the issue as unsatisfactory: Insufficient quality