Rhythmic Powder Swan - Unsorted Bids After removeExcessBids Due to Lack of Re-Sorting

[sherlock-admin2]

Rhythmic Powder Swan

Medium

Unsorted Bids After removeExcessBids Due to Lack of Re-Sorting

Summary

The Auction contract's removeExcessBids function modifies bids to ensure the total currentCouponAmount does not exceed the totalBuyCouponAmount. However, it fails to re-sort the bids after modifying them, which can lead to the sorted bids becoming unsorted. This breaks the auction's invariant that bids must always be sorted in descending order of price, potentially causing incorrect auction behavior, such as prioritizing lower-priced bids over higher-priced ones.

The removeExcessBids function iterates over the bids starting from the lowest-priced bid and reduces the sellCouponAmount and buyReserveAmount of a bid to bring the total currentCouponAmount within the totalBuyCouponAmount limit. However, after modifying a bid, the function does not re-sort the bids. This can result in the modified bid being in the wrong position in the sorted list.

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L250

Root Cause

In Auction.sol https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol

The root cause is the lack of re-sorting after modifying a bid in the removeExcessBids function. When a bid’s buyReserveAmount and sellCouponAmount are modified, its price (buyReserveAmount / sellCouponAmount) may change. If the modified bid’s price is no longer in the correct position, the sorted list becomes inconsistent.

Internal Pre-conditions

• The currentCouponAmount exceeds the totalBuyCouponAmount.
• The removeExcessBids function is called to reduce the total currentCouponAmount.

External Pre-conditions

• Multiple bids have been placed in the auction.
• The total currentCouponAmount of the bids exceeds the totalBuyCouponAmount.

Attack Path

• Users place multiple bids with varying prices.
• The total currentCouponAmount exceeds the totalBuyCouponAmount.
  -The removeExcessBids function is triggered to reduce the total currentCouponAmount.
• The function modifies a bid but does not re-sort the bids.
  -The modified bid is left in the wrong position in the sorted list.
• The auction prioritizes lower-priced bids over higher-priced ones, leading to incorrect behavior.

Impact

The auction may prioritize lower-priced bids over higher-priced ones, leading to unfair outcomes.

PoC

Consider the following bids sorted in descending order of price:

Bid Index | buyReserveAmount | sellCouponAmount | Price (buyReserveAmount / sellCouponAmount)
1 100 10 10.0
2 90 10 9.0
3 80 10 8.0
4 100 20 5.0

Suppose the totalBuyCouponAmount is 25, and the currentCouponAmount is 30. The removeExcessBids function will reduce the lowest-priced bid (Bid 4) to bring the total within the limit.
After reduction:

• Bid 4’s sellCouponAmount is reduced from 20 to 5.
• Bid 4’s buyReserveAmount is reduced proportionally from 100 to 25.
  Now, Bid 4’s price becomes:
  price = 25 / 5 = 5.0

If there were another bid with a price of 4.0, Bid 4 would no longer be in the correct position, and the sorted list would become inconsistent.

Mitigation

he removeExcessBids function should re-sort the bids after modifying them.