Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 45/88
Findings: 2
Award: $52.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: neko_nyaa
Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi
8.5414 USDC - $8.54
When creating a new auction, auctionParams.totalBaseAmount amount of token is transferred from seller to SizeSealed and there is a contract balance check balanceAfterTransfer - balanceBeforeTransfer != auctionParams.totalBaseAmount.
This check could fail when interacting with inflationary, deflationary or rebasing token. For example with deflationary token, the balance of recipient is not increased by the amount of the transfer (it means balanceAfterTransfer - balanceBeforeTransfer < auctionParams.totalBaseAmount).
Because there is no documentation about token behavior restrictions, this issue should be considered
Manual review
Should track the real increased balance increment instead of verifying it so that when the auction ends, withdrawals still successfully
uint256 balanceBeforeTransfer = ERC20(auctionParams.baseToken).balanceOf(address(this)); SafeTransferLib.safeTransferFrom(ERC20(auctionParams.baseToken), msg.sender, address(this), auctionParams.totalBaseAmount); uint256 balanceAfterTransfer = ERC20(auctionParams.baseToken).balanceOf(address(this)); a.params.totalBaseAmount = balanceAfterTransfer - balanceBeforeTransfer;
#0 - c4-judge
2022-11-09T19:56:38Z
0xean marked the issue as duplicate
#1 - c4-judge
2022-12-06T00:22:11Z
0xean marked the issue as satisfactory
🌟 Selected for report: 0x1f8b
Also found by: 0xSmartContract, 0xc0ffEE, Aymen0909, B2, Deivitto, Josiah, KingNFT, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Trust, ajtra, aviggiano, brgltd, c7e7eff, cryptonue, ctf_sec, delfin454000, djxploit, lukris02, peanuts, rvierdiiev, shark, simon135, slowmoses, tnevler, trustindistrust
44.2869 USDC - $44.29
bid should check for whether the auction is valid or not by checking a.data.seller != address(0). Because the auction could be cancelled by the seller and then the auction accepts bid forever but nobody could finalize it. This could cause the bidder to waste gas fee when unintentionally bid for cancelled auction (the bidder has to cancel bid to retrieve fund)cancelBid should remove bid at bidIndex from a.bids so that the number of 1000 bids in function bid does not involve cancelled bid -> the number of effective bids is increased#0 - c4-judge
2022-11-10T02:48:49Z
0xean marked the issue as grade-b