Submission Details
Severity:
Users can't buy ZENO for the start price
Summary
Incorrect condition in the whenActive modifier makes it impossible to buy ZENO for the state.startingPrice price. So users will always buy ZENO at a discount which causes some losses for the protocol.
Vulnerability Details
The Auction.whenActive modifier prevents buying when block.timestamp == state.startTime:
modifier whenActive() {
>> require(block.timestamp > state.startTime, "Auction not started");
require(block.timestamp < state.endTime, "Auction ended");
_;
}
This way users can buy ZENO only at a discount:
function getPrice() public view returns (uint256) {
if (block.timestamp < state.startTime) return state.startingPrice;
if (block.timestamp >= state.endTime) return state.reservePrice;
return state.startingPrice - (
(state.startingPrice - state.reservePrice) *
>> (block.timestamp - state.startTime) /
(state.endTime - state.startTime)
);
}
Impact
Unintended behavior, some losses
Tools used
Manual Review
Recommendations
Consider starting an auction at the state.startTime:
modifier whenActive() {
- require(block.timestamp > state.startTime, "Auction not started");
+ require(block.timestamp => state.startTime, "Auction not started");
require(block.timestamp < state.endTime, "Auction ended");
_;
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.