sherlock-audit / 2024-02-radicalxchange-judging

3 stars 1 forks source link

jah - a user can cancel his bid even if he is the highest biddeer and win without tranferring a bid #122

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

jah

high

a user can cancel his bid even if he is the highest biddeer and win without tranferring a bid

Summary

the function _cancelAllBids misses a critical check which allows user to cancel even if they are the highest bidder

Vulnerability Detail

the function EnglishPeriodicAuctionInternal._cancelBid and EnglishPeriodicAuctionInternal._cancelAllBids both are used to cancel a bid but the second one misses a check which prevent the highest bidder from canceling a bid in the function _cancelBId there is a code that prevent the highest bidder from withdrawing require( bidder != l.highestBids[tokenId][round].bidder, 'EnglishPeriodicAuction: Cannot cancel bid if highest bidder' ); but in there is no check in EnglishPeriodicAuctionInternal._cancelAllBids so by using this function a user can steal the bid by transferring a big amount and the call the _cancelAllBids function when the auction is going to end so when calling _cancelAllBids the l.highestBids is not update only the collateral balance is updated so a user can win the auciton without transferring any amount
Impact

Dos user by transfering a big amount and canceling it when the auction is going to end or win without a collateral

Code Snippet

https://github.com/sherlock-audit/2024-02-radicalxchange/blob/main/pco-art/contracts/auction/EnglishPeriodicAuctionInternal.sol#L416

Tool used

Manual Review

Recommendation

add the same check on the _cancelAllBids function

Duplicate of #14