Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 78/88
Findings: 1
Award: $8.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: neko_nyaa
Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi
8.5414 USDC - $8.54
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163
For the base token, there's an explicit check to handle fee-on-transfer tokens. But, that's not done for the quote token. If such a token is used for an auction, the transaction of the last people to withdraw will fail. Their tokens will be locked up in the contract.
The bid() function just transfers quoteAmount from the caller to the contract. It doesn't verify that it received the exact amount: https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163
After the auction finishes and people start withdrawing their funds, the contract will reach a state where a user will have a higher quote token balance than the contract owns. Depending on who the last caller is, bid winner or looser, you get the following two scenarios:
Because the amount transferred when calling these functions is not user-controlled, there's no way to unlock part of the tokens. The only solution is for someone to send quote tokens to the contract so that the contract has enough tokens to cover the user's withdrawal.
none
Add the fee-on-transfer check to the bid() function as well.
#0 - c4-judge
2022-11-09T15:55:52Z
0xean marked the issue as duplicate
#1 - c4-judge
2022-12-06T00:25:35Z
0xean marked the issue as satisfactory