Auction: Invalid Business Address
Summary
The Auction contract allows the businessAddress (the recipient of auction proceeds) to be set to an externally owned account (EOA) or an invalid contract address. If funds are sent to an EOA, they may become permanently inaccessible violating the protocol’s financial safeguards.
Code Snippet
Vulnerability Details
Steps to Exploit:
A privileged admin accidentally or intentionally configures businessAddress as an EOA (e.g., a user’s wallet) instead of a verified contract (e.g., a Treasury or multi-sig).
Auction Execution: Users buy ZENO tokens, and funds are sent to the invalid businessAddress.
Funds Lost: Since the EOA cannot process incoming USDC transfers (e.g., lacks transferFrom logic), funds are permanently stuck.
Code Proof:
In Auction.sol, businessAddress is assigned without validation:
Attack Simulation:
Deployment exploit:
User Participation: Alice buys 100 ZENO tokens, sending 10,000 USDC to 0x123....
Result: The USDC is trapped in the EOA, rendering protocol funds irrecoverable.
Impact
Permanent Fund Loss: Assets sent to EOAs cannot be programmatically recovered.
Protocol Insolvency: If businessAddress holds critical reserves, the protocol may collapse.
Reputation Damage: Users lose trust in the protocol’s ability to safeguard funds.
Tools Used
Manual review
Recommendations
Validate businessAddress as a contract, Use OpenZeppelin’s Address library to ensure businessAddress is a contract:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.