Back to R2's contests

SIZE contest - R2's results

An on-chain sealed bid auction protocol.

General Information

Platform: Code4rena

Start Date: 04/11/2022

Pot Size: $42,500 USDC

Total HM: 9

Participants: 88

Period: 4 days

Judge: 0xean

Total Solo HM: 2

Id: 180

League: ETH

SIZE

Findings Distribution

Researcher Performance

Rank: 48/88

Findings: 2

Award: $46.82

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySIZE

Findings Information

🌟 Selected for report: Trust

Also found by: 8olidity, HE1M, JTJabba, KIntern_NA, KingNFT, M4TZ1P, Picodes, PwnedNoMore, R2, V_B, bin2chen, cryptonue, cryptphi, fs0c, hansfriese

Awards

38.2759 USDC - $38.28

Labels

bug
3 (High Risk)
partial-25
duplicate-252

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L217

Vulnerability details

Impact

In finalize function clearingQuote may be set to type(uint256).max Then checks atState() will fail in refund() and withdraw() functions and it will impossible to return money to bidders

Proof of Concept

  1. Seller calls reveal() function for finished auction with no finalizeData
  2. Malicious user calls finalize() with ``clearingQuote = type(uint256).max```
  3. Then checks atState(idToAuction[auctionId], States.Finalized) in refund() and withdraw() will fail

Tools Used

vs code

check clearingQuote value

#0 - trust1995

2022-11-09T00:43:03Z

Low quality, not descriptive enough to be satisfactory.

#1 - c4-judge

2022-11-24T13:55:20Z

0xean marked the issue as duplicate of #252

#2 - c4-judge

2022-11-24T13:55:25Z

0xean marked the issue as partial-25

Findings Information

🌟 Selected for report: neko_nyaa

Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi

Awards

8.5414 USDC - $8.54

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-47

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L351 https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L439

Vulnerability details

Impact

When you are sending quote tokens back to bidder (in cancelBid() and refund()), you are sending exact quoteAmount But if it's a token with fee, it will lead to service DoS and user funds freezing

Proof of Concept

  1. Alan create auction 123 for selling tokens X (base) by token Y (quote). And Y has fees: 1%
  2. Bob created bid: 100 Y tokens. But your contracts receives only 99 Y tokens because of fees. Your balance is 99 Y tokens
  3. Ceed created bid: 200 Y tokens. But your contracts receives only 198 Y tokens because of fees. Your balance is 297 Y tokens
  4. Ceed cancelled bid and you are sending him 200 Y back. Your balance is 97 Y tokens
  5. Bob wants to cancel his bid too, but you have only 97 Y tokens and can't send him 100 Y tokens. So his funds will be freezed

Tools Used

vs code

Check balances before and after, as you are doing with base token

#0 - c4-judge

2022-11-09T15:47:03Z

0xean marked the issue as duplicate

#1 - c4-judge

2022-12-06T00:23:15Z

0xean marked the issue as satisfactory

#2 - c4-judge

2022-12-06T00:29:53Z

0xean changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter