Lack of deadline parameter in take can cause losses for the taker
Summary
Vulnerability Detail
The take function doesn't have a deadline parameter
gh link
function take(
uint256 id, // Auction id
uint256 amt, // Upper limit on amount of collateral to buy [wad]
uint256 max, // Maximum acceptable price (DAI / collateral) [ray]
address who, // Receiver of collateral and external call address
bytes calldata data // Data to pass in external call; if length 0, no call is done
) external lock isStopped(3) {
A taker will call the take function when it is obtainable at no worse than open market price. But this estimation can become incorrect if the transaction doesn't get executed within a short timeframe and the price of the collateral decreases at a faster pace than the auction pricing. This will cause the taker to effectively suffer a loss
Impact
Taker's/setup arbitrage bots can effectively loose value in times of network congestion and asset price decline
This is an inherited functionality from the original Clipper, then it is out of scope to challenge a specific design decision coming from there (stated in the contest rules).
hash
Medium
Lack of deadline parameter in
take
can cause losses for the takerSummary
Vulnerability Detail
The
take
function doesn't have a deadline parameter gh linkA taker will call the take function when it is obtainable at no worse than open market price. But this estimation can become incorrect if the transaction doesn't get executed within a short timeframe and the price of the collateral decreases at a faster pace than the auction pricing. This will cause the taker to effectively suffer a loss
Impact
Taker's/setup arbitrage bots can effectively loose value in times of network congestion and asset price decline
Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/lockstake/src/LockstakeClipper.sol#L332-L338
Tool used
Manual Review
Recommendation
Add a deadline parameter to restrict the allowed time for tx execution