But there is no other limit so the owner can refund without deposit using refund_highest_bidder when settle and deposit to Vault works normally. In this case, the attacker can front-run refund_highest_bidder and call settle so the owner has no option to refund.
Impact
The owner can't refund when deposit to Vault works normally.
XKET
medium
Attacker can front-run
AuctionHouse.refund_highest_bidder
to block refundingSummary
Attacker can front-run
refund_highest_bidder
to block refunding inAuctionHouse
.Vulnerability Detail
AuctionHouse.settle
can be failed when it interacts with Vault.In this case, the highest bidder's fund is locked in the auction house, so the owner can refund it using
refund_highest_bidder
.But there is no other limit so the owner can refund without deposit using
refund_highest_bidder
whensettle
and deposit to Vault works normally. In this case, the attacker can front-runrefund_highest_bidder
and callsettle
so the owner has no option to refund.Impact
The owner can't refund when deposit to Vault works normally.
Code Snippet
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/AuctionHouse.vy#L212 https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/AuctionHouse.vy#L314-L325
Tool used
Manual Review
Recommendation
Make sure when
refund_highest_bidder
is called and restrictsettle
more so it can't be called at the same time.Duplicate of #81