Platform: Code4rena
Start Date: 14/07/2022
Pot Size: $25,000 USDC
Total HM: 2
Participants: 63
Period: 3 days
Judge: PierrickGT
Total Solo HM: 1
Id: 147
League: ETH
Rank: 37/63
Findings: 1
Award: $39.92
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hickuphh3
Also found by: 0x29A, 0x52, 0xNazgul, Chom, Deivitto, ElKu, Funen, IllIllI, Meera, ReyAdmirado, SooYa, TomJ, Trumpero, Waze, __141345__, ak1, asutorufos, c3phas, cRat1st0s, csanuragjain, delfin454000, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hyh, karanctf, kenzo, kyteg, ladboy233, pashov, peritoflores, rajatbeladiya, rbserver, reassor, rokinot, simon135, wastewa
39.9201 USDC - $39.92
Witch._payInk() works only when liquidatorCut > 0 and auction.auctioneer wouldn't get paid when liquidatorCut = 0 and auctioneerCut > 0.
As we can see from this comment, we think auctioneerCut will be 0 when liquidatorCut = 0.
Btw when the admin sets auctioneerReward here, there are no requirements that auctioneerReward must be less than 1e18 and this one might be set to 1e18 by mistake.
So from this calculation, auctioneerCut would be whole amount and liquidatorCut = 0 when auctioneerReward = 1e18.
Then Witch._payInk() won't work at all because this condition is false.
This scenario would be possible when auctioneerReward is almost the same as 1e18(not exactly 1e18, like 1e18 * 0.9999) and liquidatorCut is small enough.
Solidity Visual Developer of VSCode
Recommend modifying _payInk() like below.
function _payInk( DataTypes.Auction memory auction_, address to, uint256 liquidatorCut, uint256 auctioneerCut ) internal { if (liquidatorCut > 0 || auctioneerCut > 0) { IJoin ilkJoin = ladle.joins(auction_.ilkId); require(ilkJoin != IJoin(address(0)), "Join not found"); // Pay auctioneer's cut if necessary if (auctioneerCut > 0) { ilkJoin.exit(auction_.auctioneer, auctioneerCut.u128()); } // Give collateral to the liquidator if(liquidatorCut > 0) { ilkJoin.exit(to, liquidatorCut.u128()); } } }
#0 - alcueca
2022-07-22T13:25:26Z
While true, this issue only happens when using a parameter configuration that can only be ascribed to a botched governance change, and as such I'd suggest reducing the risk to low.
#1 - PierrickGT
2022-07-28T15:47:02Z
@alcueca before downgrading this issue to a QA Report one, I want to make sure this issue should not be marked as invalid instead.
In the README you mention that parameters of governance functions are not checked because you have some on-chain testing scripts in place to avoid any governance error.
Since this issue would only happen if the governance parameter auctioneerReward is not set properly, I'm inclined to label this issue as invalid.
#2 - PierrickGT
2022-07-30T13:05:24Z
I've downgraded this issue to QA report cause it is mentioned in the README that parameters owned by governance are being tested before being set.