Bent Taupe Pangolin
Medium
The auction will be set to a failed state if totalSellReserveAmount exceeds poolSaleLimit ratio. A malicious actor can grief by always bidding a high amount, refunding his full amount afterwards.
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L342
function endAuction() external auctionExpired whenNotPaused {
if (state != State.BIDDING) revert AuctionAlreadyEnded();
if (currentCouponAmount < totalBuyCouponAmount) {
state = State.FAILED_UNDERSOLD;
} else if (totalSellReserveAmount >= (IERC20(sellReserveToken).balanceOf(pool) * poolSaleLimit) / 100) {
@> state = State.FAILED_POOL_SALE_LIMIT;
} else {
state = State.SUCCEEDED;
Pool(pool).transferReserveToAuction(totalSellReserveAmount);
IERC20(buyCouponToken).safeTransfer(beneficiary, IERC20(buyCouponToken).balanceOf(address(this)));
}Nothing prevents a malicious actor intentionally bidding in order to increase totalSellReserveAmount over the limit ratio for the ongoing auction, causing it to fail. After auction has ended he can fully refund his bid.
function claimRefund(uint256 bidIndex) auctionExpired auctionFailed whenNotPaused external {
Bid storage bidInfo = bids[bidIndex];
if (bidInfo.bidder != msg.sender) revert NothingToClaim();
if (bidInfo.claimed) revert AlreadyClaimed();
bidInfo.claimed = true;
IERC20(buyCouponToken).safeTransfer(bidInfo.bidder, bidInfo.sellCouponAmount);
emit BidRefundClaimed(bidIndex, bidInfo.bidder, bidInfo.sellCouponAmount);
}No response
No response
- Attacker makes a high bid (eg in last few minutes of auction) to increase the
totalSellReserveAmountover thepoolSaleLimitratio. - Since
poolSaleLimitcan't be changed for ongoing auctions, there is almost no risk for attacker. - After auction has failed, he refunds back his deposit.
Griefing attack on auction functionality.
No response
Reduce accepted bids/totalSellReserveAmount to the proportion of wanted limit.