The bid
function lacks a minimum bid amount and a minimum number of bidders, leading to a critical vulnerability.
If no one places a bid within a week and a single user bids 1 DAI, that user will receive all the minted TGLDs for just 1 DAI.
Users place bids normally, with a total TGLD minted amount of 1 million and total bids of 100,000 DAIs.
Users receive 10 TGLDs per DAI they bid.
In this scenario, the exchange rate is 1 DAI = 10 TGLD.
Only one user bids 1 DAI because there is no minimum bid amount.
1 million TGLD are minted.
The user receives 1 million TGLD for 1 DAI.
In this scenario, the exchange rate is 1 DAI = 1,000,000 TGLD.
Even if the minted amount is reduced in the second scenario, the user will still receive at least 10,000 TGLD for 1 DAI.
This vulnerability can lead to severe economic imbalances and exploitation. A single bidder could potentially acquire a disproportionate amount of TGLD for a minimal bid, undermining the token's value and the fairness of the bidding process.
Manual Review
Implement a mechanism to check the number of bidders and set a minimum bid amount to prevent scenarios like Scenario 2 from occurring. This will ensure a fair and balanced bidding process.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by the community.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.