The auction wouldn't work properly when the quote token is a `fee-on-transfer` token.

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L163

Vulnerability details

Impact

The auction wouldn't work properly when the quote token is a fee-on-transfer token.

When the bidders place a bid with a custom amount of quote token, it doesn't check the real balance after the quote token is transferred.

As a result, the contract might have less balance than it should and the auction won't work as expected.

Proof of Concept

Let's assume the quote token is a fee-on-transfer token.

• A seller created an auction with baseAmount = 100.
• A bidder placed a bid with baseAmount = 100, quoteAmount = 100.
• A bidder deposited 100 of quote tokens but the real balance of the contract is 99 here.

    SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);

• When the seller tries to finalize the auction, filledQuote will be 100 and it will revert here because of insufficient quote token in the contract.

    SafeTransferLib.safeTransfer(ERC20(a.params.quoteToken), a.data.seller, filledQuote);

• When the bidder tries to cancel his bid, it will revert also here.

    SafeTransferLib.safeTransfer(ERC20(a.params.quoteToken), msg.sender, b.quoteAmount);

So the bidder can't cancel his bid and lose his funds.

Tools Used

Foundry

Recommended Mitigation Steps

We should store the correct balance of the quote token when bidders place a bid here.

uint256 balanceBeforeTransfer = ERC20(auctionParams.quoteToken).balanceOf(address(this));

SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);

uint256 balanceBeforeTransfer = ERC20(auctionParams.quoteToken).balanceOf(address(this));

ebid.quoteAmount = balanceBeforeTransfer - balanceBeforeTransfer;

[c4-judge]

0xean marked the issue as duplicate

[c4-judge]

0xean marked the issue as satisfactory