Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 21/88
Findings: 2
Award: $182.57
🌟 Selected for report: 0
🚀 Solo Findings: 0
138.2838 USDC - $138.28
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L327 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L351 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L439
Not checking for token existence is a know issue for Solmate. This can cause unexpected contract functionality for transfers implemented in SizeSealed. Note that this might not be a problem for baseToken due to the check implemented in L103. However, this can lead to issues for quoteToken.
createAuction() with a quoteToken in which the address doesn't contain codebid(), finalize(), refund(), withdraw() and cancelBid() will not revert and will result in silent failures.https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L327
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L351
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L439
Check if baseToken, and most importantly if quoteToken, contain code when creating an auction.
diff --git a/src/SizeSealed.sol b/src/SizeSealed.sol --- a/src/SizeSealed.sol +++ b/src/SizeSealed.sol @@ -81,6 +81,13 @@ contract SizeSealed is ISizeSealed { revert InvalidReserve(); } + if ( + auctionParams.baseToken.code.length == 0 || + auctionParams.quoteToken.code.length == 0 + ) { + revert InvalidToken(); + } + uint256 auctionId = ++currentAuctionId; Auction storage a = idToAuction[auctionId];
#0 - trust1995
2022-11-08T22:23:43Z
Seller can theoretically suffer from abuse if they finalize an auction where malicious buyers bid with nonexisting tokens. However, only seller can be impacted negatively, and it requires serious negligence on their part.
#1 - 0xean
2022-11-09T15:17:22Z
Yea, there are some serious pre-conditions for this to occur, but could see it being M. Will leave open for sponsor review.
#2 - c4-judge
2022-11-09T15:17:26Z
0xean marked the issue as primary issue
#3 - midori-fuse
2022-11-14T22:46:02Z
However, only seller can be impacted negatively, and it requires serious negligence on their part.
Buyer can be impacted as well, if malicious sellers decides to make this an attack vector. See https://github.com/code-423n4/2022-11-size-findings/issues/48
#4 - RagePit
2022-11-17T21:30:45Z
Incredibly unlikely but confirming as Medium given the good argument in #48
#5 - c4-sponsor
2022-11-17T21:30:53Z
RagePit marked the issue as sponsor confirmed
#6 - c4-judge
2022-11-28T22:24:54Z
0xean marked the issue as satisfactory
#7 - C4-Staff
2023-06-26T19:03:01Z
captainmangoC4 marked issue #48 as primary and marked this issue as a duplicate of 48
🌟 Selected for report: 0x1f8b
Also found by: 0xSmartContract, 0xc0ffEE, Aymen0909, B2, Deivitto, Josiah, KingNFT, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Trust, ajtra, aviggiano, brgltd, c7e7eff, cryptonue, ctf_sec, delfin454000, djxploit, lukris02, peanuts, rvierdiiev, shark, simon135, slowmoses, tnevler, trustindistrust
44.2869 USDC - $44.29
Consider adding a check to validate auctionParams.baseToken and auctionParams.quoteToken are not address zero.
If these variables get configured with address zero, it will result in unexpected behavior for the contract.
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L92
https://github.com/code-423n4/2022-11-size/blob/main/src/interfaces/ISizeSealed.sol#L77-L78
Consider adding natspec on all functions to improve documentation.
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L466-L480
The solidity documentation recommends the following order for functions:
constructor receive function (if exists) fallback function (if exists) external public internal private
The instances bellow shows one public function between two external functions.
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L177
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L217
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L336
Some functions return named variables, others return explicit values.
Following function returns an explicit value
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L466
Following function returns a named variable
https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L475
Consider adopting a consistent approach to return values throughout the codebase by removing all named return variables, explicitly declaring them as local variables, and adding the necessary return statements where appropriate. This would improve both the explicitness and readability of the code, and it may also help reduce regressions during future code refactors.
#0 - c4-judge
2022-11-10T02:53:09Z
0xean marked the issue as grade-b