sherlock-admin2
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin2 closed 8 months ago
sherlock-admin2
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
8 months ago Invalid,
sherlock-admin
commented
8 months ago The protocol team fixed this issue in PR/commit https://github.com/arcadia-finance/lending-v2/pull/141.
Thomas-Smets
commented
8 months ago 
IAm0x52
commented
8 months ago Fix looks good. Auctions that request excess amounts will have the amounts reduced instead of reverting.
sherlock-admin4
commented
8 months ago The Lead Senior Watson signed off on the fix.
Kalyan-Singh
medium
Dutch auction buys can be griefed resulting in Bad Debt accrual for the protocol
Summary
Bid function in Liquidator.sol takes in askedAssetAmount[] but if even one of the asked assets is 1 wei less in the account the entire txn reverts.
Vulnerability Detail
The bid function's asked assetAmounts are directly passed to _withdrawERC20 which reverts if there is not enough recorded balance.
Malicious user can use this to make protocol accrue bad Debt
Scenario- Account A has 1000e6 usdc, bob thinks that it is right price to buy in dutch auction, he tries to buy all the usdc, but alice frontruns and buys just 1 , which will cause bob's txns to revert.
This can lead to bot wars, where one bot griefs another until they buy collateral at a significantly lower price.
Impact
Loss to the protocol
Code Snippet
Bid Function _withdrawERC20
Tool used
Manual Review
Recommendation
Propogate to users that if they want to buy the entire collateral they need to pass in uint256.max in askedAssetAmounts.
If asked askedAssetAmounts are uint256.max let the user buy all the recorded balances.