search

code-423n4 / 2024-05-gondi-mitigation-findings

0 stars 0 forks source link

H-05 MitigationConfirmed #45

Open c4-bot-2 opened 3 months ago

c4-bot-2 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

H-05: triggerFee is stolen from other auctions during settleWithBuyout()

Comments

Original vulnerabilities: settleWtihBuyout() transfers the originator fee directly from the liquidator contract balalance. The problem is during the buyout flow, no bids have been placed so there’s no fee in the contract to pay for the originator fee.

Original impacts: This will either revert the buyout tx, or when other auctions are going in parallel this steals fees from proceeds of other loan auctions.

Mitigation:

Fix: https://github.com/pixeldaogg/florida-contracts/pull/370/files

//src/lib/AuctionWithBuyoutLoanLiquidator.sol
    function settleWithBuyout(
        address _nftAddress,
        uint256 _tokenId,
        Auction calldata _auction,
        IMultiSourceLoan.Loan calldata _loan
    ) external nonReentrant {
...

        asset.safeTransferFrom(buyer, _auction.originator, totalOwed.mulDivDown(_auction.triggerFee, _BPS));
...

The originator fee is now transferred from buyer/msg.sender, which is the lender initiating the buyout tx. This eliminates the attack vector and resolves the issue.

Test

The revised test is passing.

Conclusion

LGTM

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory

c4-judge commented 3 months ago

alex-ppg marked the issue as confirmed for report