search

sherlock-audit / 2022-10-astaria-judging

6 stars 1 forks source link

bin2chen - Auction#reservePrice maybe less than required #266

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 2 years ago

bin2chen

medium

Auction#reservePrice maybe less than required

Summary

Auction#reservePrice without the addition of the initiatorFee, maybe less than required

Vulnerability Detail

The auction will pay a #initiatorFee when paying, but the fee is not added to #reservePrice when creating auction, so when cancel, the price will not enough

Impact

can't clear all lienToken

Code Snippet

https://github.com/sherlock-audit/2022-10-astaria/blob/main/lib/astaria-gpl/src/AuctionHouse.sol#L276

  function _handleIncomingPayment(
    uint256 tokenId,
    uint256 transferAmount,
    address payer
  ) internal {
    require(transferAmount > uint256(0), "cannot send nothing");
    Auction storage auction = auctions[tokenId];

    uint256 initiatorPayment = transferAmount.mulDivDown(
      auction.initiatorFee,
      100
    ); 
    TRANSFER_PROXY.tokenTransferFrom(
      weth,
      payer,
      auction.initiator,
      initiatorPayment
    );
    transferAmount -= initiatorPayment; /******** pay initiatorFee ********/

Tool used

Manual Review

Recommendation

  function createAuction(
    uint256 tokenId,
    uint256 duration,
    address initiator,
    uint256 initiatorFee
  ) external requiresAuth returns (uint256 reserve) {
    (reserve, ) = LIEN_TOKEN.stopLiens(tokenId);

    Auction storage newAuction = auctions[tokenId];
    newAuction.duration = duration.safeCastTo64();
-   newAuction.reservePrice = reserve;
+    newAuction.reservePrice = reserve + reserve.mulDivDown(
                                                        auction.initiatorFee,
                                                        100
                                                    );     
    newAuction.initiator = initiator;
    newAuction.initiatorFee = initiatorFee;
    newAuction.firstBidTime = block.timestamp.safeCastTo64();
    newAuction.maxDuration = (duration + 1 days).safeCastTo64();
    newAuction.currentBid = 0;

    emit AuctionCreated(tokenId, duration, reserve);
  }

Duplicate of #199

IAmTurnipBoy commented 1 year ago

Escalate for 1 USDC

Duplicate of #108

sherlock-admin commented 1 year ago

Escalate for 1 USDC

Duplicate of #108

You've created a valid escalation for 1 USDC!

To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Evert0x commented 1 year ago

Escalation accepted

sherlock-admin commented 1 year ago

Escalation accepted

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.