search

sherlock-audit / 2024-03-axis-finance-judging

1 stars 0 forks source link

AgileJune - Auction with lotId > 0 is always not handled as expected due to empty auction routing information #171

Closed sherlock-admin3 closed 7 months ago

sherlock-admin3 commented 7 months ago

AgileJune

high

Auction with lotId > 0 is always not handled as expected due to empty auction routing information

Summary

If there are Multiple Auctions, all auctions information are messed to empty auction routing information

Vulnerability Detail

Auctioneer.sol::auction() always does not set routing information for lotId greater than zero.

    function auction(
        RoutingParams calldata routing_,
        Auction.AuctionParams calldata params_,
        string calldata infoHash_
    ) external nonReentrant returns (uint96 lotId) {
....
@       Routing storage routing = lotRouting[lotId];

        bool requiresPrefunding;
        uint96 lotCapacity;
        {
....
            // Increment lot count and get ID
@           lotId = lotCounter++;

            // Call module auction function to store implementation-specific data
            (lotCapacity) =
                auctionModule.auction(lotId, params_, quoteTokenDecimals, baseTokenDecimals);
            routing.auctionReference = auctionModule.VEECODE();
....
        }

        // Store routing information
        routing.seller = msg.sender;
        routing.baseToken = routing_.baseToken;
        routing.quoteToken = routing_.quoteToken;
....

        // Derivative
        if (fromKeycode(routing_.derivativeType) != bytes5("")) {
....
            // Store derivative information
            routing.derivativeReference = derivativeModule.VEECODE();
            routing.derivativeParams = routing_.derivativeParams;
            routing.wrapDerivative = routing_.wrapDerivative;
        }
    }

As you can see above code snippet, routing storage variable is as lotRouting[0]. So whenever auctioneer creates auction, routing data is saved in lotRouting[0], this means that if there are multiple auctions, all auctions' information are messed.

Impact

Due to empty auction information, auction is invalid. auctioneer funds are locked in protocol, or lost if try to cancel because routing.seller is address(0).

Code Snippet

https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/Auctioneer.sol#L174 https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/Auctioneer.sol#L194

Tool used

Manual Review

Recommendation

At the beginning of Auctioneer.sol::auction() function, place the line to increment lot count and get ID.

Duplicate of #12