Skinny Pink Bear
Medium
Overly restrictive modifier will cause a fund lockup for outbid participants as auction contract will incorrectly block refund claims in successful auctions
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L367
The choice to restrict refunds with auctionFailed modifier is a mistake as it prevents legitimate refund claims from outbid users in successful auctions
- User needs to place a bid
- Another user needs to place a bid to set highestBid to be greater than user's bid
- Auction needs to end successfully
No external pre-conditions required - this is an internal auction contract logic issue.
- User1 calls bid() with 100 USDC
- User2 calls bid() with 200 USDC, outbidding User1
- Time passes and auction ends naturally
- Auction succeeds (highest bid meets reserve price)
- User1 calls claimRefund() but transaction reverts due to auctionFailed modifier
The outbid users cannot claim their refund of 100% of their bid amount when auction succeeds. In this test case, User1 loses access to 100 USDC.
function testOutbidAndRefund() public { // Setup first bidder address bidder1 = address(0x11); vm.startPrank(bidder1); usdc.mint(bidder1, 1000 ether); usdc.approve(address(auction), 1000 ether); auction.bid(100 ether, 1000000000); vm.stopPrank();
// Setup second bidder with higher bid
address bidder2 = address(0x12);
vm.startPrank(bidder2);
usdc.mint(bidder2, 2000 ether);
usdc.approve(address(auction), 2000 ether);
auction.bid(200 ether, 1000000000);
vm.stopPrank();
// End auction
vm.warp(block.timestamp + 15 days);
auction.endAuction();
// First bidder claims refund
vm.startPrank(bidder1);
auction.claimRefund(1);
vm.stopPrank();
// Verify refund
assertEq(usdc.balanceOf(bidder), 1000 ether);
}
n/a