Skip to content
This repository was archived by the owner on Aug 3, 2025. It is now read-only.
This repository was archived by the owner on Aug 3, 2025. It is now read-only.

Radiant Peanut Ram - ### lack of msg.value check to determine if the bid amount aligns with whats being sent, insertSortedBid function #1050

Open
Open
Radiant Peanut Ram - ### lack of msg.value check to determine if the bid amount aligns with whats being sent, insertSortedBid function#1050
@sherlock-admin2

Description

@sherlock-admin2
sherlock-admin2
opened on Jan 23, 2025

Radiant Peanut Ram

Medium

### lack of msg.value check to determine if the bid amount aligns with whats being sent, insertSortedBid function

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L177

summary

The bid function lacks validation to ensure that the value sent (msg.value) aligns with the intended sellCouponAmount. This oversight allows malicious users to send zero o while still successfully placing bids, the insertSortedBid function relies on the unvalidated sellCouponAmount, causing the auction's linked list to be manipulated, resulting in invalid or unfair auction outcomes.

root cause

The bid function does not verify whether the Ether sent (msg.value) corresponds to the declared sellCouponAmount. This omission allows bids to be placed without committing the necessary payment.

The insertSortedBid function uses sellCouponAmount to determine the bid's placement in the linked list. Since sellCouponAmount is unvalidated, an attacker can exploit this to skew the bid order.

The contract assumes that all bidders provide valid payments or tokens when, in reality, no checks enforce this assumption.

POC

The attacker submits multiple unpaid bids with artificially inflated sellCouponAmount, pushing out legitimate bids from the auction (_removeBid removes lower-ranked bids).
This allows the attacker to secure a winning position without committing the required payment.

function testBidSuccessSortManipulation() public {
    address legetimateUser = address(0x123131);

    usdc.mint(bidder, 100 ether);
    usdc.mint(legetimateUser, 1000 ether);

    weth.mint(address(auction), 1000000000000 ether);

    uint256 slot = auction.slotSize();

    vm.startPrank(bidder);
    usdc.approve(address(auction), 40 ether);

    auction.bid(1, slot);

    auction.bid(50 ether, slot);

    auction.bid(1, slot);

    auction.bid(1, slot);

    // auction.bid(10, slot);
    vm.stopPrank();

    vm.startPrank(legetimateUser);
    usdc.approve(address(auction), 100 ether);
    // vm.expectRevert();
    auction.bid(55 ether, slot);
    vm.stopPrank();

    vm.warp(block.timestamp + 15 days);
    vm.prank(pool);
    auction.endAuction();

    vm.prank(bidder);
    auction.claimBid(1);
  }

Impact

THis pushes legitimate bids further down the order, even if they follow the correct rules. Legitimate bidders may lose their rightful position in the auction.

Mitigation

validate the msg.value is the actual amount

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions