Closed c4-bot-2 closed 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #404
MarioPoneder marked the issue as unsatisfactory: Invalid
MarioPoneder changed the severity to QA (Quality Assurance)
MarioPoneder marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L400 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/ERC20TokenEmitter.sol#L152
Vulnerability details
Governance tokens use VRGDA to adjust the price of a token to adhere to a specific issuance schedule. This means that for a time
t
the price will be higher the more tokens have been sold until then.When the deadline of an auction is reached and settled, governance tokens are minted to the creators of the art piece and the
creatorsAddress
address. Given that the auction deadline is known beforehand, there are incentives to buy governance tokens just before the auction is settled to receive more tokens. This will result in the creators receiving fewer tokens than expected.Impact
Creators receive fewer governance tokens than expected.
Proof of Concept
Add the following code snippet to AuctionSettling.t.sol:
Console output:
As we can see, when the user buys governance tokens just before the auction is settled, the tokens received by the creator are almost half of the tokens received when the user does not buy governance tokens.
Tools Used
Manual inspection.
Recommended Mitigation Steps
A possible solution would be reserving a percentage of the governance tokens for the buys done through the AuctionHouse contract.
Assessed type
Other