Closed sherlock-admin2 closed 4 months ago
2 comment(s) were left on this issue during the judging contest.
WangAudit commented:
seems to be intended behaviour; if they're registered but not approved then there's no incentive for doing anything; therefore; to me it looks working fine and the goal of approval is to allow them withdraw
takarez commented:
valid; medium(4)
Dliteofficial
medium
Unapproved clients could start earning client auction rewards
Summary
Clients who are registered but unapproved can start earning auction rewards immediately they are registered as long as they facilitate the winning bid.
Vulnerability Detail
Per the new upgrade of
NounsAuctionHouse
toNounsAuctionHouseV2
, client incentives is implemented to encourage clients to facilitate auction bids. To enjoy this incentive, the client has to facilitate the winning bid.To be eligible, first, they have to register by calling
Rewards::registerClient()
. Calling this function doesnt approve the client, the DAO still has to give the stamp of approval. Unlike unapproved clients, approved clients are not just entitled to auction rewards, they can also withdraw the rewards garnered.The vulnerability here arises from the ability of unapproved clients to claim rewards by posting the winning bid. Although this doesnt cause any financial loss to the protocol, it however, renders the approval process inefficient if a client doesnt necessary need approval to start earning rewards.
Impact
As mentioned earlier, there is no financial loss to the protocol because they will be unable to withdraw their rewards until approval is granted, but unapproved clients will be denying approved clients of actually getting a reward because an unapproved client facilitated a bid that was above theirs.
Code Snippet
Tool used
Manual Review
Recommendation
Only approved clients should be allowed to compete for client rewards.