You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
USDC Blacklist Breaks Auction Settlement and Claims
Title
Critical Settlement Failure Due to USDC Blacklist in Auction Settlement and Claims
Severity
HIGH - Complete loss of funds and broken settlement mechanism
Description
The auction's settlement and claim processes can be permanently disrupted if the beneficiary address or winning bidders are USDC blacklisted, leading to locked funds and failed settlements.
The vulnerability exists in two critical settlement functions:
Auction Settlement:
function endAuction() external onlyPool {
// ... state checks
if (state == State.SUCCEEDED) {
// Transfer all collected USDC to beneficiary
IERC20(buyCouponToken).safeTransfer(beneficiary, IERC20(buyCouponToken).balanceOf(address(this)));
}
as you can see this function directly transfers winner the winning amount if the bidder gets blacklisted after bidding this will cause a revert and failed auctions
Cheerful Flaxen Poodle
High
blacklisted
Summary
USDC Blacklist Breaks Auction Settlement and Claims
Title
Critical Settlement Failure Due to USDC Blacklist in Auction Settlement and Claims
Severity
HIGH - Complete loss of funds and broken settlement mechanism
Description
The auction's settlement and claim processes can be permanently disrupted if the beneficiary address or winning bidders are USDC blacklisted, leading to locked funds and failed settlements.
The vulnerability exists in two critical settlement functions:
Auction Settlement:
function endAuction() external onlyPool {
// ... state checks
if (state == State.SUCCEEDED) {
// Transfer all collected USDC to beneficiary
IERC20(buyCouponToken).safeTransfer(beneficiary, IERC20(buyCouponToken).balanceOf(address(this)));
}
as you can see this function directly transfers winner the winning amount if the bidder gets blacklisted after bidding this will cause a revert and failed auctions
Root Cause
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/14a962c52a8f4731bbe4655a2f6d0d85e144c7c2/plaza-evm/src/Auction.sol#L336-L350
Internal Pre-conditions
No response
External Pre-conditions
No response
Attack Path
No response
Impact
Unable to process auctions
PoC
No response
Mitigation
Separate transfer
The text was updated successfully, but these errors were encountered: