Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 75/88
Findings: 2
Award: $14.14
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: neko_nyaa
Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi
8.5414 USDC - $8.54
https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L163 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L321 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L327 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L351 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L381 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L384 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L409 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L439
Some ERC20 may be tricky for the balance. Such as:
For these tokens, the balance can change even without transfer()/transferFrom(). Users fund could be locked:
As long as one of the base token and quote token have this issue, the whole contract could be affected.
Before and after transfer balance is checked in createAuction(), however none of the following functions take into account the potential changes in token balance:
bid()finalize()refund()withdraw()cancelAuction()cancelBid()Manual analysis.
#0 - trust1995
2022-11-08T23:14:14Z
The contract does not claim to support fee on transfer tokens, it is supposed to filter them out during createAuction phase. Warden did not spot that the bid() function does allow fee-on-transfer quoteTokens, which is the root of the issue.
#1 - c4-judge
2022-11-09T15:47:56Z
0xean marked the issue as duplicate
#2 - c4-judge
2022-12-06T00:22:08Z
0xean marked the issue as satisfactory
🌟 Selected for report: Trust
Also found by: 0x1f8b, 0xdapper, HE1M, KIntern_NA, Lambda, Picodes, RaymondFam, RedOneN, TomJ, V_B, __141345__, c7e7eff, chaduke, codexploder, corerouter, cryptonue, fs0c, gz627, hihen, joestakey, ktg, ladboy233, minhtrng, rvierdiiev, simon135, skyle, slowmoses, wagmi, yixxas
5.604 USDC - $5.60
https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L157-L159 https://github.com/code-423n4/2022-11-size/blob/79aa9c01987e57a760521acecfe81b28eab3b313/src/SizeSealed.sol#L415-L440
Cancelled bid is not deleted from a.bids, so the a.bids array can not be shortened. Eventually it could exceed the maximum 1000 bids number and no new bid can be placed.
The bidder's first bid
A malicious bidder can firstly place a bid at reserveQuotePerBase. Then repeatedly create and cancel bid, until the bids[] array reaches the maximum length. So no new bids can be added.
// src/SizeSealed.sol function bid() { // ... if (bidIndex >= 1000) { revert InvalidState(); } // ... }
As a result, the whole auction will not function as expected. Either sell the base token to the malicious user at the reserveQuotePerBase, or just cancel the auction.
Manual analysis.
In cancelBid(), delete the bid from the a.bids array if the bid is cancelled.
#0 - trust1995
2022-11-08T23:26:19Z
Dup of #238
#1 - c4-judge
2022-11-09T15:35:46Z
0xean marked the issue as duplicate
#2 - c4-judge
2022-12-06T00:22:12Z
0xean marked the issue as satisfactory
#3 - c4-judge
2022-12-06T00:31:04Z
0xean changed the severity to 2 (Med Risk)