Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 79/88
Findings: 1
Award: $8.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: neko_nyaa
Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi
8.5414 USDC - $8.54
SizeSealed supports any arbitrary token as both the base and quote token. During auction creation they specifically disallow fee-on-transfer tokens for the base token. For bids they don't disallow fee-on-transfer for the quote token. Auctions run with these tokens will develop token accounting issues when withdrawing and refunding.
Using a fee-on-transfer token for the quote token will break auction withdrawing and refunding
EncryptedBid memory ebid; ebid.sender = msg.sender; ebid.quoteAmount = quoteAmount; ebid.commitment = commitment; ebid.pubKey = pubKey; ebid.encryptedMessage = encryptedMessage; uint256 bidIndex = a.bids.length; // Max of 1000 bids on an auction to prevent DOS if (bidIndex >= 1000) { revert InvalidState(); } a.bids.push(ebid); SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);
SizeSealed#bid doesn't check the amount of quote token received from the quote token transfer. Should the quote token be fee-on-transfer, ebid.quoteAmount and the actual amount received will be different. When withdrawing or refunding it will attempt to send more of the token than it has.
Manual Review
Check the balance before and after the transfer and revert if fee-on-transfer is detected.
#0 - c4-judge
2022-11-09T17:56:11Z
0xean marked the issue as duplicate
#1 - c4-judge
2022-12-06T00:25:42Z
0xean marked the issue as satisfactory