8 matches found
[PNM-002] finalize with malicious input may lock bidder funds in the contract
Lines of code Vulnerability details Description The finalize function of the contract SizeSealed is used to finalize an auction, allowing the auctioner or seller to be paid quote tokens and also eventually allowing successful bidders to withdraw base tokens. Once the finalize function is called,...
Front-running of bid calls
Lines of code Vulnerability details Description There is bid function in the SizeSealed contract. The function accepts the auctionId, which does not contain any information about the auction itself. As a result, transactions of users can be front-runned to enforce them bid for the auction with th...
[PNM-001] finalize with malicious input may allow multiple calls leading to fund draining
Lines of code Vulnerability details Description The finalize function of the contract SizeSealed is used to finalize an auction, allowing the auctioner or seller to be paid quote tokens and also eventually allowing successful bidders to withdraw base tokens. Once the finalize function is called,...
Denial of service when baseAmount is equal to zero
Lines of code Vulnerability details Vulnerability details Description There is a finalize function in the SizeSealed smart contract. The function traverses the array of the bids sorted by price descending. On each iteration, it calculates the quotePerBase. When this variable is calculated, the...
Bid can be cancelled after being finalized
Lines of code Vulnerability details Impact The SizeSealed contract's cancelBid function can be called after auction has been finalized, thereby allowing the bidder to withdraw their quoteToken after bid is finalized This is possible by bypassing the if a.data.lowestQuote != typeuint128.max ||...
Solmate's SafeTransferLib won't check if token has code, which can affect transfers in SizeSealed
Lines of code Vulnerability details Impact Not checking for token existence is a know issue for Solmate. This can cause unexpected contract functionality for transfers implemented in SizeSealed. Note that this might not be a problem for baseToken due to the check implemented in L103. However, thi...
SizeSealed.withdraw will revert on mulDivDown if a.data.lowest is the value zero, which can prevent withdraws for an auction
Lines of code Vulnerability details Proof of Concept The call to mulDivDown on L377 will revert if the third argument denominador is the value zero. See Solmate implementation. It's possible for a.data.lowestBase to receive the value zero, which will prevent the transfers from L381 and L384. Impa...
Casting to uint128 when valiue can exceed uint128.max
Lines of code Vulnerability details Impact In CommonTokenMath.tokensAvailableAtTime the result is cast to uint128 on line 62. Given that baseAmount close or at it's uint128.max, and cliffPercent is close or at it's max of 1e18 dictated on line 72 in SizeSealed.sol, cliffAmount can reach uint128.m...