No check for sequencer uptime will lead dutch auctions executing at worst prices #174
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-94
🤖_33_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-9
added
2 (Med Risk)
howlbot-integration
bot
added
sufficient quality report
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/trading/DutchTrade.sol#L91
Vulnerability details
Dutch auctions allow the protocol to sell assets at a time based decreasing price, which means means the longer the auction the lower the price.
This kind of model presents some risk if the sequencer on L2 chains fails to work properly after the auction has been fired.
Impact
The impact is financial, dutch auctions will be less profitable for the protocol.
Proof of Concept
Given that the price during dutch auctions is based on how much time has passed since the start.
A network outage can be quite damaging to any actors providing liquidity to the system.
Consider the following scenario.
A 30 min long dutch auction start
The network experiences an outage, causing the sequencer to go offline.
45 min later the network is back
A fast actor bids on the dutch auction sitting now at the worst price
Auction settles.
Tools Used
Manuel reviews
Recommended Mitigation Steps
With the use of Chainlinks sequencer uptime feeds, negate auctions that have been taking place while an outage.
Assessed type
Other
The text was updated successfully, but these errors were encountered: