[EVMN] Overwritten Bidders' Past Bids
Summary
A bidder's past bids are overwritten with the new ones, preventing them from withdrawing assets of unsuccessful bids.
Vulnerability Details
The code on line 108 does not account the past bids of a bidder. For example, if a bidder submitted a bid of 1 Ether, then submits another bid of 2 Ether, the contract only stores the 2 Ether and overwrites the previous 1 Ether bid. If the bidder loses the auction, they can only withdraw 2 Ether and therefore loses 1 Ether.
Impact
The bidder loses assets from the unsuccessful bids.
Tools Used
Manual review.
Recommendations
Consider accumulating the bidder's past bids.
Lead Judging Commences
Wrong bid amount in `bid` function
In the `bid` function the bid values are stored using `self.bid_values.entry(sender).write(amount)` directly, but this overwrites any previous bids made by the same bidder. Therefore if a participant makes 2 or more bids, the participant can then withdraw only the last value of the last bid. That is incorrect, the protocol should save all bids and a participant should withdraw the value of the all unsuccessful bids.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.