Platform: Code4rena
Start Date: 13/12/2023
Pot Size: $36,500 USDC
Total HM: 18
Participants: 110
Period: 8 days
Judge: 0xTheC0der
Id: 311
League: ETH
Rank: 105/110
Findings: 1
Award: $1.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: jnforja
Also found by: 0x175, 0xCiphky, 0xDING99YA, 0xmystery, ArmedGoose, Aymen0909, Franklin, KupiaSec, McToady, MrPotatoMagic, Ocean_Sky, PNS, Pechenite, TermoHash, Topmark, _eperezok, alexbabits, deth, hals, imare, jeff, ktg, leegh, mahdirostami, marqymarq10, mojito_auditor, neocrao, ptsanev, twcctop, zraxx
1.337 USDC - $1.34
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L217 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L253 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/AuctionHouse.sol#L297
When an auction starts, it has established rules that all participants (creators, bidders, owner) agree to. However, the owner of the auction may change it immediately without informing the people involved, including the person with the highest bid. The bid cannot be withdrawn, so the division of auction profits will take place according to new rules to which the bidder did not agree. This is a breach of the contract agreed to by all participants when they entered the auction. This creates a lack of trust in the system and at the same time may deprive the creator of his earnings.
The auction conditions should remain unchanged throughout the duration of the auction.
When the auction starts, only startTime and endTime are saved in its parameters, the rest of the parameters responsible for the division of profits are calculated dynamically when it ends.
File: AuctionHouse.sol 317: auction = Auction({ 318: verbId: verbId, 319: amount: 0, 320: startTime: startTime, 321: endTime: endTime, 322: bidder: payable(0), 323: settled: false 324: });
How profits from the auction are distributed is determined by the parameters creatorRateBps, minCreatorRateBps, entropyRateBps. While the value of creatorRateBps cannot be less than minCreatorRateBps and minCreatorRateBps cannot be decreased, there are no conditions for changing entropyRateBps, which may deprive the creator of direct profits in ETH.
manual review
The structure containing auction data should be expanded with additional parameters containing profit sharing settings. In this way, there will be a permanent record that the auction participants agree to at the beginning and which will remain unchanged throughout the duration of the auction. Changes introduced by the owner will be effective from the next auction. If a change in parameters is required, it can be done by canceling the ongoing auction, refunding the funds and starting a new auction.
Governance
#0 - c4-pre-sort
2023-12-22T19:44:03Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-12-22T19:44:10Z
raymondfam marked the issue as duplicate of #55
#2 - c4-pre-sort
2023-12-24T14:18:05Z
raymondfam marked the issue as duplicate of #495
#3 - c4-judge
2024-01-06T18:14:50Z
MarioPoneder changed the severity to QA (Quality Assurance)
#4 - c4-judge
2024-01-07T16:03:44Z
MarioPoneder marked the issue as grade-c
#5 - c4-judge
2024-01-10T17:32:52Z
This previously downgraded issue has been upgraded by MarioPoneder
#6 - c4-judge
2024-01-10T17:33:27Z
MarioPoneder marked the issue as duplicate of #515
#7 - c4-judge
2024-01-10T17:35:51Z
MarioPoneder marked the issue as partial-50
#8 - c4-judge
2024-01-11T18:03:12Z
MarioPoneder changed the severity to 2 (Med Risk)