search

sherlock-audit / 2024-03-axis-finance-judging

1 stars 0 forks source link

web3tycoon - A malicious Admin can cancel any auction without refunds. to the `Seller` or `bidder` #236

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

web3tycoon

high

A malicious Admin can cancel any auction without refunds. to the Seller or bidder

Summary

When an auction is prefunded, and the parent or admin calls cancelAuction(uint256 lotId_) the amount of the seller is forcefully set to zero, locking the funds of the seller

Vulnerability Detail

Make sure to import all dependenciess


    function test_Cancel_Batch()
        external
        whenAuctionTypeIsBatch
        whenBatchAuctionModuleIsInstalled
        givenCuratorIsSet
        givenQuoteTokenHasDecimals(17)
        givenBaseTokenHasDecimals(13)
        givenSellerHasBaseTokenBalance(_scaleBaseTokenAmount(_LOT_CAPACITY))
        givenSellerHasBaseTokenAllowance(_scaleBaseTokenAmount(_LOT_CAPACITY))
        givenLotIsCreated
        givenLotHasStarted
        givenReferrerFeeIsSet
        givenProtocolFeeIsSet
        givenBalancesAreSet
        givenUserHasQuoteTokenBalance(_scaleQuoteTokenAmount(_BID_AMOUNT))
        givenUserHasQuoteTokenAllowance(_scaleQuoteTokenAmount(_BID_AMOUNT))
        givenBidCreated(_bidder, _scaleQuoteTokenAmount(_BID_AMOUNT), "")
        givenBidderTwoHasQuoteTokenBalance(_scaleQuoteTokenAmount(_BID_AMOUNT))
        givenBidderTwoHasQuoteTokenAllowance(
            _scaleQuoteTokenAmount(_BID_AMOUNT)
        )
        givenBidCreated(_BIDDER_TWO, _scaleQuoteTokenAmount(_BID_AMOUNT), "")
        givenPayoutIsSet(
            _bidder,
            _REFERRER,
            _scaleQuoteTokenAmount(_BID_AMOUNT),
            _scaleBaseTokenAmount(_BID_AMOUNT_OUT)
        )
        givenPayoutIsSet(
            _BIDDER_TWO,
            _REFERRER,
            _scaleQuoteTokenAmount(_BID_AMOUNT),
            _scaleBaseTokenAmount(_BID_AMOUNT_OUT)
        )
    {
        vm.prank(address(_auctionHouse));
        _module.cancelAuction(_lotId);
Auction.Lot memory lotData = _getAuctionLot(_lotId);
        assertEq(lotData.conclusion, uint48(block.timestamp));
        assertEq(lotData.capacity, 0);
    }

Impact

This will result to permanenlty locking funds

Code Snippet

https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/modules/Auction.sol#L351 https://github.com/sherlock-audit/2024-03-axis-finance/blob/main/moonraker/src/modules/Auction.sol#L363

Tool used

Manual Review

Recommendation

add functionality on cancelling funds are not locked in the smartcontract but refunded to the bidders and sellers

Duplicate of #169

0xJem commented 7 months ago

Duplicate of #169