Bidders can bid more than the available balance of the send token
Summary
In the _createBidInfo function, there is no check to ensure that the _quoteQuantityLimit parameter is not greater than the preBidTokenSentBalance of the send token which will result in an insufficient balance of the send token to fulfill the quote quantity limit
Vulnerability Detail
In the _createBidInfo function, the preBidTokenSentBalance is assigned the balance of the send token held by the setToken before the bid is executed: bidInfo.preBidTokenSentBalance = bidInfo.sendToken.balanceOf(address(_setToken));
However, there is no explicit check to ensure that the _quoteQuantityLimit is not greater than the preBidTokenSentBalance. This means that a bid can be made with a quote asset limit that exceeds the available balance of the send token.
The bid execution code in the bid function does not perform any additional checks on the available balance of the send token. Therefore, if a bid is made with a quote asset limit greater than the available balance, the bid will still be executed, potentially resulting in an incorrect execution.
Impact
Bidder can bid more than the available balance, leading to a loss of funds if the bid is executed
Add modification to the createBidInfo function to verify whether the _quoteQuantityLimit is less than or equal to the preBidTokenSentBalance of the send token. If the condition is not met, it will revert the transaction with an error message indicating that the quote quantity limit exceeds the token balance
https://github.com/seerether/Index/blob/9b3a24296847ee894841a31bd36cc131cebeae8b/Indexmitigate7#L12-L16
seerether
high
Bidders can bid more than the available balance of the send token
Summary
In the _createBidInfo function, there is no check to ensure that the _quoteQuantityLimit parameter is not greater than the preBidTokenSentBalance of the send token which will result in an insufficient balance of the send token to fulfill the quote quantity limit
Vulnerability Detail
In the _createBidInfo function, the preBidTokenSentBalance is assigned the balance of the send token held by the setToken before the bid is executed: bidInfo.preBidTokenSentBalance = bidInfo.sendToken.balanceOf(address(_setToken)); However, there is no explicit check to ensure that the _quoteQuantityLimit is not greater than the preBidTokenSentBalance. This means that a bid can be made with a quote asset limit that exceeds the available balance of the send token. The bid execution code in the bid function does not perform any additional checks on the available balance of the send token. Therefore, if a bid is made with a quote asset limit greater than the available balance, the bid will still be executed, potentially resulting in an incorrect execution.
Impact
Bidder can bid more than the available balance, leading to a loss of funds if the bid is executed
Code Snippet
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L772
Tool used
Manual Review
Recommendation
Add modification to the createBidInfo function to verify whether the _quoteQuantityLimit is less than or equal to the preBidTokenSentBalance of the send token. If the condition is not met, it will revert the transaction with an error message indicating that the quote quantity limit exceeds the token balance https://github.com/seerether/Index/blob/9b3a24296847ee894841a31bd36cc131cebeae8b/Indexmitigate7#L12-L16