Curator can increase fee before accepting auction, leading the seller to pay more curator fees than he expected.
Summary
The curator fee is not set when auction is created, it is set when the curator accepts the auction instead. The result is that the curator can increase the fee before accepting the auction, and the seller has to accept the new fee.
Vulnerability Detail
When creating an auction by Auctioneer.auction(), the curator address and the curated state are set, but the curator fee is not set.
The curator fee is set when the curator accepts the auction in AuctionHouse.curate(). In this case, the curator can first increase his curator fee (by FeeManager.setCuratorFee()), and then accepts the auction. The fee is higher than when the auction was created, which may result in the seller paying more curator fees than he expected.
634: function curate(uint96 lotId_, bytes calldata callbackData_) external nonReentrant {
...
650: // Set the curator as approved
651: feeData.curated = true;
652:@> feeData.curatorFee = fees[keycodeFromVeecode(routing.auctionReference)].curator[msg.sender];
...
699 }
110: function setCuratorFee(Keycode auctionType_, uint48 fee_) external {
111: // Check that the fee is less than the maximum
112: if (fee_ > fees[auctionType_].maxCuratorFee) revert InvalidFee();
113:
114: // Set the fee for the sender
115: fees[auctionType_].curator[msg.sender] = fee_;
116: }
ydlee
high
Curator can increase fee before accepting auction, leading the seller to pay more curator fees than he expected.
Summary
The curator fee is not set when auction is created, it is set when the curator accepts the auction instead. The result is that the curator can increase the fee before accepting the auction, and the seller has to accept the new fee.
Vulnerability Detail
When creating an auction by
Auctioneer.auction(), thecurator addressand thecurated stateare set, but thecurator feeis not set.https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/Auctioneer.sol#L216-L220
The
curator feeis set when the curator accepts the auction inAuctionHouse.curate(). In this case, the curator can first increase hiscurator fee(byFeeManager.setCuratorFee()), and then accepts the auction. The fee is higher than when the auction was created, which may result in the seller paying more curator fees than he expected.https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/AuctionHouse.sol#L650-L652
https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/FeeManager.sol#L110-L116
Impact
Curator can increase curator fee before accepting an auction, this may lead the seller to pay more curator fees than he expected.
Code Snippet
https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/Auctioneer.sol#L216-L220
https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/AuctionHouse.sol#L650-L652
https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/bases/Auctioneer.sol#L216-L220
Tool used
Manual Review
Recommendation
Set the curator fee in
Auctioneer.auction()instead of inAuctionHouse.curate().Duplicate of #111