Addresses audit High 00 (self-reported after audit)
High 00 (client reported) - Malicious Orb owners can steal from auction bidders by adjusting Orb parameters mid-auction
The Orb allows the creator to set Orb parameters while the Orb is under their control, this being defined as Orb being held by the creator or Orb contract. However, this definition does not include checking if the auction is running.
By adjusting fee parameters (particularly Harberger tax, holderTaxNumerator) while the auction is running, Orb creator can drain winning bidder's funds in a very short time.
Planned fix: to check that auction has not been started (auctionEndTime > 0) in the onlyCreatorControlled modifier.
Addresses audit High 00 (self-reported after audit)
High 00 (client reported) - Malicious Orb owners can steal from auction bidders by adjusting Orb parameters mid-auction
The Orb allows the creator to set Orb parameters while the Orb is under their control, this being defined as Orb being held by the creator or Orb contract. However, this definition does not include checking if the auction is running.
By adjusting fee parameters (particularly Harberger tax,
holderTaxNumerator) while the auction is running, Orb creator can drain winning bidder's funds in a very short time.Planned fix: to check that auction has not been started (
auctionEndTime> 0) in theonlyCreatorControlledmodifier.