Open sherlock-admin opened 1 year ago
Escalate for 1 USDC
Huge loss of funds for bidder. High risk
Escalate for 1 USDC
Huge loss of funds for bidder. High risk
You've created a valid escalation for 1 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation accepted.
Escalation accepted.
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
0xRajeev
high
Canceling an auction does not refund the current highest bidder
Summary
If the collateral token owner cancels the active auction and repays outstanding debt, the current highest bidder will not be refunded and loses their funds.
Vulnerability Detail
The
AuctionHouse.createBid()
function refunds the previous bidder if there is one. The same logic would also be necessary in theAuctionHouse.cancelAuction()
function but is missing.Impact
If the collateral token owner cancels the active auction and repays outstanding debt (
reservePrice
), the current highest bidder will not be refunded and will therefore lose their funds which can also be exploited by a malicious borrower.Potential exploit scenario: A malicious borrower can let the loan expire without repayment, trigger an auction, let bids below reserve price, and (hope to) front-run any bid >= reserve price to cancel the auction which effectively lets the highest bidder pay out (most of) the liens instead of the borrower.
Code Snippet
Tool used
Manual Review
Recommendation
Add the refund logic (via
_handleOutGoingPayment()
to the current bidder) in the cancel auction flow similar to the create bid auction flow.