Bidders may bid at a high price and can not revoke
Summary
In DaiGoldAuction and SpiceAuction, the current bidding mechanism allows users to bid a certain amount of bidToken to the auction. After the auction ends, the number of auctionToken they receive depends on their share of the totalBidTokenAmount. This mechanism could be unfair to users, as they cannot foresee the total amount of bidToken that will be bid (there’s no fixed hardcap), and they cannot revoke their bid**. As a result, users could end up bidding at a much higher price if they receive fewer auctionToken than anticipated.
Vulnerability Details
In DaiGoldAuction and SpiceAuction, the current bidding mechanism operates as follows:
Users bid a certain amount of
bidTokento the auction:
After the auction ends, the number of
auctionTokenusers receive depends on their share in thetotalBidTokenAmount
The current mechanism lacks a hardcap for each auction, preventing users from predicting the total amount of bidToken that will be bid and the number of auctionToken they will receive.
Furthermore, users cannot revoke their bid if the exchange ratio exceeds their expectations. This lack of control over slippage means that if a large bidder (whale) participates, all users end up paying a higher price.
Impact
The lack of protection disincentivizes users from bidding. Additionally, users who bid may end up bidding at a higher price than expected, with no ability to revoke their bid.
Tools Used
Manual
Recommendations
Add hardcap and softcap limits to the auction.
Allow users to revoke their bids if certain conditions are met.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.