search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

hash - Lack of deadline parameter in `take` can cause losses for the taker #119

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

hash

Medium

Lack of deadline parameter in take can cause losses for the taker

Summary

Vulnerability Detail

The take function doesn't have a deadline parameter gh link

    function take(
        uint256 id,           // Auction id
        uint256 amt,          // Upper limit on amount of collateral to buy  [wad]
        uint256 max,          // Maximum acceptable price (DAI / collateral) [ray]
        address who,          // Receiver of collateral and external call address
        bytes calldata data   // Data to pass in external call; if length 0, no call is done
    ) external lock isStopped(3) {

A taker will call the take function when it is obtainable at no worse than open market price. But this estimation can become incorrect if the transaction doesn't get executed within a short timeframe and the price of the collateral decreases at a faster pace than the auction pricing. This will cause the taker to effectively suffer a loss

Impact

Taker's/setup arbitrage bots can effectively loose value in times of network congestion and asset price decline

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/lockstake/src/LockstakeClipper.sol#L332-L338

Tool used

Manual Review

Recommendation

Add a deadline parameter to restrict the allowed time for tx execution

sunbreak1211 commented 1 month ago

This is an inherited functionality from the original Clipper, then it is out of scope to challenge a specific design decision coming from there (stated in the contest rules).