Permanent DoS of claimBids() and settle() functions for an auction lot with an expired LinearVesting derivative.
Summary
Currently, an auction lot can be set up with the use of LinearVesting derivative. If such a derivative module is enabled on an auction lot, the payment will be sent in the form of linearly vesting tokens. The problem is if the derivative expires the bidders won't be able to claim their winning bids.
Vulnerability Detail
When an auction is settled, winning bidders can claim their bids through a call to claimBids(). If an auction had a partially filled bidder, his payout is sent during a call to settle().
AuctionHouse.sol#L425-L442
if (bidClaim.payout > 0) {
// Allocate quote and protocol fees for bid
_allocateQuoteFees(
protocolFee,
referrerFee,
bidClaim.referrer,
routing.seller,
routing.quoteToken,
bidClaim.paid
);
// Reduce funding by the payout amount
unchecked {
routing.funding -= bidClaim.payout;
}
// Send the payout to the bidder
_sendPayout(
bidClaim.bidder,
bidClaim.payout,
routing,
auctionOutput
);
if (settlement.pfBidder != address(0)) {
_allocateQuoteFees(
feeData.protocolFee,
feeData.referrerFee,
settlement.pfReferrer,
routing.seller,
routing.quoteToken,
uint96(
Math.mulDivDown(
settlement.pfPayout,
settlement.totalIn,
settlement.totalOut
)
)
);
// Reduce funding by the payout amount
unchecked {
routing.funding -= uint96(settlement.pfPayout);
}
// Send refund and payout to the bidder
Transfer.transfer(
routing.quoteToken,
settlement.pfBidder,
settlement.pfRefund,
false
);
// @audit-info Send baseTokens to bidder
_sendPayout(
settlement.pfBidder,
settlement.pfPayout,
routing,
auctionOutput
);
}
If a derivative module was enabled on the auction lot, _sendPayout() will try to mint derivative tokens to the bidder.
AuctionHouse.sol#L800-L831
DerivativeModule module = DerivativeModule(
_getModuleIfInstalled(derivativeReference)
);
// Approve the module to transfer payout tokens when minting
Transfer.approve(baseToken, address(module), payoutAmount_);
// Call the module to mint derivative tokens to the recipient
module.mint(
recipient_,
address(baseToken),
routingParams_.derivativeParams,
payoutAmount_,
routingParams_.wrapDerivative
);
mint function of the LinearVesting derivative, validates that the expiry of the derivative is in the future, and reverts if it's not.
LinearVesting.sol#L262-L264
if (_validate(underlyingToken_, params) == false) {
revert InvalidParams();
}
During the creation of the auction lot, check that the expiry of the derivative is greater than the conclusion of the auction lot, or allow minting derivative tokens even after expiry.
sl1
medium
Permanent DoS of
claimBids()
andsettle()
functions for an auction lot with an expiredLinearVesting
derivative.Summary
Currently, an auction lot can be set up with the use of
LinearVesting
derivative. If such a derivative module is enabled on an auction lot, the payment will be sent in the form of linearly vesting tokens. The problem is if the derivative expires the bidders won't be able to claim their winning bids.Vulnerability Detail
When an auction is settled, winning bidders can claim their bids through a call to
claimBids()
. If an auction had a partially filled bidder, his payout is sent during a call tosettle()
. AuctionHouse.sol#L425-L442AuctionHouse.sol#L503-L529
If a derivative module was enabled on the auction lot,
_sendPayout()
will try to mint derivative tokens to the bidder. AuctionHouse.sol#L800-L831mint
function of theLinearVesting
derivative, validates that the expiry of the derivative is in the future, and reverts if it's not. LinearVesting.sol#L262-L264LinearVesting.sol#L534-L535
If the derivative token expires, claiming will be DoS'ed for the winners, leaving them without a way to rescue their funds.
Impact
Claiming of winnings bids will be DoS'ed.
Code Snippet
https://github.com/sherlock-audit/2024-03-axis-finance/blob/cadf331f12b485bac184111cdc9ba1344d9fbf01/moonraker/src/modules/derivatives/LinearVesting.sol#L262-L264 https://github.com/sherlock-audit/2024-03-axis-finance/blob/cadf331f12b485bac184111cdc9ba1344d9fbf01/moonraker/src/modules/derivatives/LinearVesting.sol#L521-L541
Tool used
Manual Review
Recommendation
During the creation of the auction lot, check that the expiry of the derivative is greater than the conclusion of the auction lot, or allow minting derivative tokens even after expiry.
Duplicate of #178