The person with the same number of bidding tokens can become the highest bidder in some cases. Due to variability in the bidIncrement in during the auction.
Proof of Concept
The bidIncrement can be changed during the auction due to unchecked calling of the function updateBidIncrement() during the auction.
If by mistake the bidIncrement is changed to be decreased or set to Zero, then this will lead to the user bidding the same value to be the highestBidder.
Recommended Mitigation Steps
A check should be included in the function updateBidIncrement()
if (block.number <= lotItem.endBlock) revert AuctionNotEnded();
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L151
Vulnerability details
Impact
The person with the same number of bidding tokens can become the highest bidder in some cases. Due to variability in the bidIncrement in during the auction.
Proof of Concept
The
bidIncrement
can be changed during the auction due to unchecked calling of the functionupdateBidIncrement()
during the auction. If by mistake thebidIncrement
is changed to be decreased or set to Zero, then this will lead to the user bidding the same value to be the highestBidder.Recommended Mitigation Steps
A check should be included in the function
updateBidIncrement()
Assessed type
Other