Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper Auction End Time Check in whenActive Modifier

bryanconquer

Summary


The whenActive modifier in the auction contract does not properly enforce the auction end time. The condition:

require(block.timestamp < state.endTime, "Auction ended");

does not prevent transactions that occur exactly at state.endTime, allowing users to bid when the auction is supposed to be closed.

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/zeno/Auction.sol#L36

Vulnerability Details

Impact

Unintended Auction Extensions:

  • If a transaction is included in a block where block.timestamp == state.endTime, it bypasses the intended restriction and executes.

  • Front-Running Attack Risk:

    • Malicious actors or bots can attempt last-second transactions to manipulate the auction outcome, gaining an unfair advantage.

  • Incorrect Auction Closing Behavior:

    • Users expect the auction to strictly end at state.endTime, but due to this bug, transactions are still processed at the exact moment of closure.

Tools Used
manual review

Recommendations

Modify the whenActive modifier to properly prevent transactions at state.endTime by using <= instead of < in the second condition:

modifier whenActive() {
require(block.timestamp > state.startTime, "Auction not started");
require(block.timestamp <= state.endTime, "Auction ended"); // ✅ FIX: Use <=
_;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.