Submission Details
Severity:
Lack of Effective Deadline Timestamp in buy() Function
Summary
The buy() function in the Auction contract does not implement an effective deadline timestamp, allowing transactions to be executed at unintended times. This exposes users to risks such as slippage, delayed execution, and potential front-running attacks.
The function relies on getPrice(), which is time-dependent.
-
If the transaction is delayed, the price can fluctuate drastically, causing users to overpay or underpay
-
No transaction expiration mechanism exists, allowing unintended execution at a later time.
Impact
The lack of a deadline timestamp in buy() introduces risks of slippage, delayed execution, and front-running attacks. Implementing a deadline parameter enhances transaction predictability and user protection.
Tools Used
manual review
Recommendations
Modify the buy() function to include a deadline parameter that enforces an expiration time.
function buy(uint256 amount, uint256 deadline) external whenActive {
require(block.timestamp <= deadline, "Transaction expired"); // Enforce deadline
require(block.timestamp < state.endTime, "Auction has ended");
require(amount <= state.totalRemaining, "Not enough ZENO remaining");
uint256 price = getPrice();
uint256 cost = price * amount;
require(usdc.transferFrom(msg.sender, businessAddress, cost), "Transfer failed");
bidAmounts[msg.sender] += amount;
state.totalRemaining -= amount;
state.lastBidTime = block.timestamp;
state.lastBidder = msg.sender;
zeno.mint(msg.sender, amount);
emit ZENOPurchased(msg.sender, amount, price);
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.