Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recumbent Lead Crane - endAuction() might suffer from donation attack #1046

Open
sherlock-admin2 opened this issue Jan 23, 2025 · 0 comments
Open

Recumbent Lead Crane - endAuction() might suffer from donation attack #1046

sherlock-admin2 opened this issue Jan 23, 2025 · 0 comments

Comments

@sherlock-admin2
Copy link
Contributor

Recumbent Lead Crane

Medium

endAuction() might suffer from donation attack

Summary

endAuction() function in Auction.sol rely on totalSellReserveAmount >= (IERC20(sellReserveToken).balanceOf(pool) * poolSaleLimit) / 100 condition to set auction state to FAILED_POOL_SALE_LIMIT, this expose this fuction to donnation attack since attacker can send some sellReserveToken to pool to make this condition validated and get auction state set to FAILED_POOL_SALE_LIMIT.

Root Cause

In Auction.sol:341-342
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L341-L342
auction state FAILED_POOL_SALE_LIMIT condition

In Auction.sol:356
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L356

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

This will cause claimBid() to revert AuctionFailed()

PoC

No response

Mitigation

Use internal tracking of sellReserveToken balance.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2