Bidders can lose tokens if they bid multiple times
Summary
The bid functions allows the bidder to lose their previous bid if they bid multiple times for an auction
Vulnerability Details
The bid function doesn't prevent a bidder from bidding more than once, however, multiple bids from the same bidder will lead to the user losing their previous bid as it overwrites the previous bid
Impact
Loss of ERC20 tokens for any user bidding multiple times
Tools Used
Manual
Recommendations
either prevent a user from bidding multiple times or update their records and not overwrite them.
Lead Judging Commences
Wrong bid amount in `bid` function
In the `bid` function the bid values are stored using `self.bid_values.entry(sender).write(amount)` directly, but this overwrites any previous bids made by the same bidder. Therefore if a participant makes 2 or more bids, the participant can then withdraw only the last value of the last bid. That is incorrect, the protocol should save all bids and a participant should withdraw the value of the all unsuccessful bids.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.