Lines of code

Vulnerability details

Description

The finalize function is used to finalize the auction, locking all bids, and paying the seller.

However, any user, including bidders can call finalize, as it is a public function, and there are no user checks.

This may allow bidders to input malicious data, allowing them to call cancelBid after finalize, something that is not supposed to be done.

This may result in the loss of funds from the contract, as when a malicious bidder calls cancelBid, he or she is paid back the full amount. If the bidder had been successful in the auction, there may be excess base token loss, as the contract sends the seller all the successful bidder payments in the finalize function call.

POC

• ‘seller’ creates auction as normal (requires base to quote token <= 1)
• Bidding takes place as norml
• A malicous bidder calls finalize with quote token set to type(uint128).max, and base token set to the amount which satisfies the orginal ratio.
• The malicous bidder, or any other bidder can then call cancelBid, as the internal check of a.lowestBase != type(uint128).max fails

Recommended Fix:

Access gate the finalize function call to seller only.

The text was updated successfully, but these errors were encountered:

All reactions