Back to sashik_eth's contests

SIZE contest - sashik_eth's results

An on-chain sealed bid auction protocol.

General Information

Platform: Code4rena

Start Date: 04/11/2022

Pot Size: $42,500 USDC

Total HM: 9

Participants: 88

Period: 4 days

Judge: 0xean

Total Solo HM: 2

Id: 180

League: ETH

SIZE

Findings Distribution

Researcher Performance

Rank: 80/88

Findings: 1

Award: $8.54

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySIZE

Findings Information

🌟 Selected for report: neko_nyaa

Also found by: 0x52, 0xSmartContract, 0xc0ffEE, Josiah, KingNFT, Lambda, R2, RaymondFam, Ruhum, TomJ, Trust, TwelveSec, __141345__, c7e7eff, cccz, cryptostellar5, fs0c, hansfriese, horsefacts, ladboy233, minhtrng, pashov, rvierdiiev, sashik_eth, tonisives, wagmi

Awards

8.5414 USDC - $8.54

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-47

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L150-L163

Vulnerability details

Impact

Some ERC20 tokens could have fees for each transfer, they are known as "fee-on-transfer" tokens. While there is a check inside createAuction() function that prevents these tokens from being baseToken, FoT tokens still allowed to be quoteToken which could lead to a problem with accounting correct amount of deposited tokens on contract.

Proof of Concept

Inside bid() function amount of deposited tokens stored from function parameter quoteAmount value, no matter how many tokens are actually transferred to the contract:

src/SizeSealed.sol:150        ebid.quoteAmount = quoteAmount;
    ...
src/SizeSealed.sol:163        SafeTransferLib.safeTransferFrom(ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount);

So it's a possible scenario:

  1. Alice creates an auction with FoT token ABC (with a 5% fee) as quoteToken. She may don't know that ABC has fees on transfer or that fees could be inactive at the moment of auction creation.
  2. Bob placed a bid with 100 tokens. While the contract saves a value of 100 in ebid.quoteAmount real contract balance of token ABC is 95 due to the 5% fee.
  3. Bob decides to cancel the bid using cancelBid function. While the contract call's safeTransfer() with amount 100 (due to saved value in b.quoteAmount) actual balance is 95 and the transaction revert's. Bob's funds are locked since the contract has lack of tokens ABC.

Add in bid() function the same check for FoT token as in createAuction() function:

        uint256 balanceBeforeTransfer = ERC20(a.params.quoteToken).balanceOf(address(this));

        SafeTransferLib.safeTransferFrom(
            ERC20(a.params.quoteToken), msg.sender, address(this), quoteAmount
        );

        uint256 balanceAfterTransfer = ERC20(a.params.quoteToken).balanceOf(address(this));
        if (balanceAfterTransfer - balanceBeforeTransfer != quoteAmount) {
            revert UnexpectedBalanceChange();
        }

This would prevent bidders from depositing FoT tokens with activated fees.

#0 - trust1995

2022-11-08T22:24:40Z

Dup of #255

#1 - c4-judge

2022-11-09T17:20:14Z

0xean marked the issue as duplicate

#2 - c4-judge

2022-12-06T00:21:58Z

0xean marked the issue as satisfactory

#3 - c4-judge

2022-12-06T00:29:46Z

0xean changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter