Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 46/88
Findings: 2
Award: $49.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Trust
Also found by: 0x1f8b, 0xdapper, HE1M, KIntern_NA, Lambda, Picodes, RaymondFam, RedOneN, TomJ, V_B, __141345__, c7e7eff, chaduke, codexploder, corerouter, cryptonue, fs0c, gz627, hihen, joestakey, ktg, ladboy233, minhtrng, rvierdiiev, simon135, skyle, slowmoses, wagmi, yixxas
5.604 USDC - $5.60
Attacker can fill up all the bids and steal and be the winner and cause a dos and then withdraw/refund the funds since when doing a refund the bid isn't taken off the array an attacker can make 1000 bids and cause dos and have 100 percent chance of winning causing a loss of funds
There is no fee taken on the amount and there can be dos and it should be removed.
b.sender = address(0); emit BidRefund(auctionId, bidIndex); SafeTransferLib.safeTransfer(ERC20(a.params.quoteToken), msg.sender, b.quoteAmount); }
and no array slot popped off which can be filled causing 100 percent winnings for the bidder they are able to get all the bid amounts out and even if they don't win they cant dos the whole auction and still get their funds out with no punishment.
remove the bid from an array or check the address
psudeocode array.pop()
#0 - trust1995
2022-11-08T22:22:19Z
Lacking any specifics, believe it to be unsatisfactory.
#1 - c4-judge
2022-11-09T17:20:47Z
0xean marked the issue as duplicate
#2 - trust1995
2022-11-29T15:31:17Z
The submission does not explain a DOS vector properly and is not on par with the rest of the dups, imo.
#3 - c4-judge
2022-12-06T00:21:57Z
0xean marked the issue as satisfactory
#4 - c4-judge
2022-12-06T00:31:00Z
0xean changed the severity to 2 (Med Risk)
🌟 Selected for report: 0x1f8b
Also found by: 0xSmartContract, 0xc0ffEE, Aymen0909, B2, Deivitto, Josiah, KingNFT, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Trust, ajtra, aviggiano, brgltd, c7e7eff, cryptonue, ctf_sec, delfin454000, djxploit, lukris02, peanuts, rvierdiiev, shark, simon135, slowmoses, tnevler, trustindistrust
44.2869 USDC - $44.29
// Fill the remaining unfilled base amount if (data.filledBase + baseAmount > data.totalBaseAmount) { //@done this if statement is wrong baseAmount = data.totalBaseAmount - data.filledBase; } b.filledBaseAmount = baseAmount; data.filledBase += baseAmount;
if baseAmount is more then totalBaseAmonut then it will revert
// Auction has been fully filled if (data.filledBase == data.totalBaseAmount) continue;
and this is possible if the base amounts are equal but then you wont get the quote amount
// Transfer the left over baseToken if (data.totalBaseAmount != data.filledBase) { uint128 unsoldBase = data.totalBaseAmount - data.filledBase; a.params.totalBaseAmount = data.filledBase; SafeTransferLib.safeTransfer( ERC20(a.params.baseToken), a.data.seller, unsoldBase ); }
when you should get tokens
baseTokensAvailable = baseTokensAvailable - b.baseWithdrawn; b.baseWithdrawn += baseTokensAvailable;
just of time the loop will get to this
bta=BaseTokenAmount bw=basewithdraw /* bta=1e18 bw=1e18 bta=1e14 bw=1e22 bta=1e10 bta-bw//revert */
as the tokens decrease the bw will get bigger causing a revert
#0 - c4-judge
2022-11-10T02:48:15Z
0xean marked the issue as grade-b