Open github-actions[bot] opened 1 year ago
While the issue is valid, there are no funds at risk with starting the auction early. Considering this issue a valid medium.
Fix looks good:
auction_started
boolean flag is used to prevent settle()
from being called before an auction begins
carrot
high
Starting timestamp can be bypassed by calling
settle
Summary
The starting timestamp set or still unset by the owner through the
start_auction
function can be bypassed by callingsettle
, which sends the first token to the fallback and then starts the auction for subsequent tokenIds.Vulnerability Detail
The function
start_auction
is meant to be used to start the auction process, after which the bids start getting accepted. However, this entire system can be bypassed by calling thesettle
function. This leads to the first tokenId being minted to the fallback address, and the next tokenId auction being started immediately.This can be exploited in two scenarios,
start_auction
hasn't been called yetstart_auction
has been called, and the timestamp passed is a timestamp in the futureIn both these cases, the auctions can be made to start immediately. Thus the two issues are clubbed together.
The function
settle
only checks for the timestamp using the statement https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/AuctionHouse.vy#L185 which is defined as https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/AuctionHouse.vy#L247-L252 This check passes if the current timestamp is after the end of the epoch, but also if the current timestamp is before the start of the auction, which is the main issue here.Inside the
settle
function, it sets the start and end timestamps properly, which allows bids to be made for subsequent tokenIds. https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/AuctionHouse.vy#L200-L206So even if the starting timestamp is unset or set in the future, the checks in
settle
pass, and the function then proceeds to write the start and end timestamps to process bids correctly.Impact
Bids can be started immediately. This goes against the design of the protocol.
Code Snippet
The issue can be recreated with the following POC
This shows a case where
start_action
is never called, yet the bids start. The same can be done ifstart_auction
is called with a timestamp in the futureTool used
Boa Manual Review
Recommendation
Change the check in
settle
to check for the end timestamp ONLY