gravenp
commented
8 months ago This issue was originally invalidated based on Sherlock's contest rules about front-running initializers (VII.7), but the team has decided that we'll address it regardless. As this boils down to griefing, I believe this should be low priority.
Duplicates to be rolled in: https://github.com/sherlock-audit/2024-02-radicalxchange-judging/issues/56 https://github.com/sherlock-audit/2024-02-radicalxchange-judging/issues/72
lamsy
high
initializeAuction Function can be front run
Summary
The
initializeAuctionfunction in theEnglishPeriodicAuctionFacetcontract lacks access control, potentially allowing unauthorized parties to frontrun and initialize the auction parameters.Vulnerability Detail
The
initializeAuctionfunction does not have any access control modifiers, such asonlyOwneroronlyRole, which means any external account can frontrun this function to initialize the auction parameters. This can lead to unauthorized modifications of critical auction settings by malicious actors.Impact
The impact of this vulnerability is that unauthorized users can interfere with the auction process, potentially disrupting the fairness and integrity of the auction.
Code Snippet
https://github.com/sherlock-audit/2024-02-radicalxchange/blob/main/pco-art/contracts/auction/facets/EnglishPeriodicAuctionFacet.sol#L28
https://github.com/sherlock-audit/2024-02-radicalxchange/blob/main/pco-art/contracts/auction/facets/EnglishPeriodicAuctionFacet.sol#L61
Tool used
Manual Review
Recommendation
Implement access control mechanisms such as role-based access control (RBAC) to restrict the initializeAuction function to only be callable by authorized addresses. This ensures that only trusted parties can initialize the auction parameters and mitigates the risk of unauthorized modifications.