Open sherlock-admin3 opened 3 months ago
The protocol team fixed this issue in the following PRs/commits: https://github.com/Axis-Fi/moonraker/pull/143
The protocol team fixed this issue in the following PRs/commits: Axis-Fi/moonraker#143
Fixed Now bidder's can claim refund unless the private key is submitted following a dedicatedSettlePeriod
The Lead Senior Watson signed off on the fix.
hash
medium
User's can be grieved by not submitting the private key
Summary
User's can be grieved by not submitting the private key
Vulnerability Detail
Bids cannot be refunded once the auction concludes. And bids cannot be claimed until the auction has been settled. Similarly a EMPAM auction cannot be cancelled once started.
For EMPAM auctions, the private key associated with the auction has to be submitted before the auction can be settled. In auctions where the private key is held by the seller, they can grief the bidder's or in cases where a key management solution is used, both seller and bidder's can be griefed by not submitting the private key.
Impact
User's will not be able to claim their assets in case the private key holder doesn't submit the key for decryption
Code Snippet
https://github.com/sherlock-audit/2024-03-axis-finance/blob/cadf331f12b485bac184111cdc9ba1344d9fbf01/moonraker/src/modules/auctions/EMPAM.sol#L747-L756
Tool used
Manual Review
Recommendation
Acknowledge the risk involved for the seller and bidder