Oighty
commented
1 year ago Acknowledge that users can exceed the max payout by making consecutive transactions. Market creators can set max payout to 100% of the market capacity by making the depositInterval the same as the market duration. However, we kept the option for maxPayout in these variants for consistency with the other auction types and to allow market creators to create some friction to a user buying out the whole capacity if they wish. This is functioning as designed.
UsmannK
sherlock-admin
hrishibhat
usmannk
medium
Users can avoid the max payout limit for FPA and OFDA auction types
Summary
The OSDA auction type updates the sale price of a bond after each sale. However the price of the next sale is only dependent on previous sales. For a sale at time
tonly the actions taken in time[0,t-1]are considered. To avoid a buyer at timetmaking an outsized impact based on the previous state, amaxPayoutparameter was introduced. This way buyers have to split large orders into several, allowing for state updates to occur within the order.However, the FPA and OFDA auction types have no such dependence between price and previous sales. For these auctions, the maxPayout parameter only causes the buyer to waste gas as making two identical orders will use the same price as just making one order twice as large.
Vulnerability Detail
The
maxPayoutparameter in FPA and OFDA auctions can be avoided by simply making many transactions in between oracle updates. This is an identical operation to just removing themaxPayoutparameter from these auction types altogether.https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/bases/BondBaseFPA.sol#L286-L287
Impact
maxPayoutlimit is totally avoided by buyersCode Snippet
Tool used
Manual Review
Recommendation
Remove the
maxPayoutparameter from auctions where price is independent of previous sales.