Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 85/88
Findings: 1
Award: $5.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Trust
Also found by: 0x1f8b, 0xdapper, HE1M, KIntern_NA, Lambda, Picodes, RaymondFam, RedOneN, TomJ, V_B, __141345__, c7e7eff, chaduke, codexploder, corerouter, cryptonue, fs0c, gz627, hihen, joestakey, ktg, ladboy233, minhtrng, rvierdiiev, simon135, skyle, slowmoses, wagmi, yixxas
5.604 USDC - $5.60
A malicious user can purchase up to the entire sale amount at the minimumBidQuote and at no additional cost since cancelBid() refunds the entire amount.
A user who has placed a bid() pushes an element into the bids[] array permanently and and there is no way to remove the element. Even when cancelBid() is called, bids[].length does not decrease. This means can an attacker can always place the minimum bid for x number of tokens that he wants to purchase and fill up the entire array such that no further bids can be placed by other users and get refund for the bids placed by cancelBid().
Manual Review
I recommend that cancelBid() be removed. It is a problematic function that can lead to a variety of issues as mentioned in my other report - griefing of the auction.
#0 - c4-judge
2022-11-09T19:19:29Z
0xean marked the issue as duplicate
#1 - c4-judge
2022-12-06T00:23:00Z
0xean marked the issue as satisfactory