search

code-423n4 / 2024-07-reserve-findings

5 stars 4 forks source link

No check for sequencer uptime can lead to dutch auctions executing at bad prices #28

Closed c4-bot-10 closed 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/trading/DutchTrade.sol#L1

Vulnerability details

The DutchTrade contract implements a Dutch auction mechanism for liquidations, but it does not account for potential sequencer downtime on L2s. This oversight could lead to auctions executing at unfair prices, causing losses for the protocol.

The auction price is calculated in the _price() function based on the current block.timestamp. If the sequencer goes offline during an auction and comes back online before the auction ends, the timestamp used for price calculation will have advanced, but no bids could have been placed during the downtime.

This can result in the auction executing at a lower price than the fair market value, as the price decay would have continued during the offline period.

Sequencer downtimes happen occasionally on L2s. For instance, Arbitrum suffered an hour-long outage several months ago.

Impact

Auctions may execute at unfairly low prices if the sequencer is offline for a portion of the auction duration

Proof of Concept

  1. A Dutch auction starts with a 15-minute duration
  2. After 2 minutes (13% of auction time), when the price is still in the geometric decay phase, the sequencer goes offline for 10 minutes
  3. When the sequencer comes back online, there are only 3 minutes left in the auction (80% of auction time has passed)
  4. The _price() function calculates the price as if 12 minutes had passed normally, setting the price in the linear decay phase between bestPrice and worstPrice
  5. A bidder immediately places a bid at this unfairly low price, missing the entire geometric and first linear decay phases

Tools Used

Manual review

Recommended Mitigation Steps

 Consider integrating an external uptime feed such as Chainlink's L2 Sequencer Feeds and disallowing bids if it was offline during the auction's duration.

Assessed type

Other

c4-judge commented 2 months ago

thereksfour marked the issue as unsatisfactory: Out of scope