Back to jayphbee's contests

SIZE contest - jayphbee's results

An on-chain sealed bid auction protocol.

General Information

Platform: Code4rena

Start Date: 04/11/2022

Pot Size: $42,500 USDC

Total HM: 9

Participants: 88

Period: 4 days

Judge: 0xean

Total Solo HM: 2

Id: 180

League: ETH

SIZE

Findings Distribution

Researcher Performance

Rank: 33/88

Findings: 1

Award: $138.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySIZE

Findings Information

🌟 Selected for report: neko_nyaa

Also found by: 8olidity, Bnke0x0, Matin, TwelveSec, brgltd, ctf_sec, djxploit, horsefacts, jayphbee

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-48

Awards

138.2838 USDC - $138.28

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L327 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L351 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381 https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L381

Vulnerability details

Impact

bidder can get baseToken for free if auction creator specify an qutoeToken address without code.

Proof of Concept

The solmate SafeTransferLib leaves the code existence checking responsibility for user. In the createAuction method, the baseToken code existence is implicitly checked by calling the balanceOf function on it. If the baseToken address have no code, this call will revert.

        // Passes https://github.com/transmissions11/solmate/blob/main/src/utils/SafeTransferLib.sol#L9
        // Transfer base tokens to auction contract and check for tax tokens
        uint256 balanceBeforeTransfer = ERC20(auctionParams.baseToken).balanceOf(address(this));

However it doesn't check the auctionParams's quoteToken code existence, if the auction creator specify an address without code, the SafeTransferLib.safeTransfer and SafeTransferLib.transferFrom will return successfully without revert. In the bid function the bidder will transfer said amount of quoteToken to SizeSealed contract, but the contract receive nothing actually. https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163

SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);

In the finalize period, the qutoToken will trasnsfer to the seller by calling https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L327

SafeTransferLib.safeTransfer(ERC20(a.params.quoteToken), a.data.seller, filledQuote);

The seller receives nothing in the same way. That is to say, the bidder will get the baseToken for free.

Tools Used

manual review

check the code exsitence for quoteToken in the createAuction function.

        .......
        if (
            FixedPointMathLib.mulDivDown(
                auctionParams.minimumBidQuote, type(uint128).max, auctionParams.totalBaseAmount
            ) > auctionParams.reserveQuotePerBase
        ) {
            revert InvalidReserve();
        }

        if (auctionParams.quoteToken.code.length == 0) {
            revert InvalidQuoteToken();
        }

        uint256 auctionId = ++currentAuctionId;
      ......

#0 - trust1995

2022-11-08T23:27:35Z

This requires a major mistake made by seller, therefore the severity is overly inflated.

#1 - c4-judge

2022-11-09T16:42:17Z

0xean marked the issue as duplicate

#2 - c4-judge

2022-12-06T00:22:13Z

0xean marked the issue as satisfactory

#3 - c4-judge

2022-12-06T00:29:28Z

0xean changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter