chaduke - An auction might be settled without meeting the reservePrice requirement.

[sherlock-admin3]

chaduke

medium

An auction might be settled without meeting the reservePrice requirement.

Summary

An auction might be settled without meeting the reservePrice requirement. The main reason is that the admin can change the parameters of an on-going auction: timeBuffer, reservePrice, and minBidIncrementPercentage. These parameters should have been fixed for an ongoing auction and their updates should only be applied to the next auction. As a result, for example, some undesirable behavior might occur, such as even when an acution is settled, the reservePrice requirement is not satisfied.

Vulnerability Detail

Consider the following scenario:

1. Suppose initially reservePrice = 0.2 ether;
2. The first bidder A bids for 0.2 ether and becomes the winning bidder.
3. The admin changes reservePrice = 0.3 ether, which means, the auction can only be settled with a minium bidding value of 0.3 ether.
4. Suppose no later bidders with a value of >= 0.3 ether.
5. As a result, A wins the auction with 0.2 ether. However, this does not satisfy the reservePrice requirement.

Impact

An auction might be settled without meeting the reservePrice requirement.

Code Snippet

https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouse.sol#L165-L189

Tool used

VSCode

Manual Review

Recommendation

The three parameters of an auction: timeBuffer, reservePrice, and minBidIncrementPercentage should be intialized at function _createAuction() and then fixed during the whole liftime of the auction.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

I think the admin is trsuted not to do this