Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token lock in Auction when the lot price is decreased #416

Destiner opened this issue Nov 6, 2018 · 3 comments

Token lock in Auction when the lot price is decreased #416

Destiner opened this issue Nov 6, 2018 · 3 comments


Copy link

@Destiner Destiner commented Nov 6, 2018


ColonyNetworkAuction.sol implements a dutch auction with dynamically decreasing price. When user makes a bid, the function first checks how many CLNY tokens it is required to bid to finish the auction. The calculation is made via DSMath.sub, which throws if resulting amount is smaller than 0. In other words, the function will throw if _totalToEndAuction - receivedTotal < 0. If the price will decrease to the extent that it will become smaller than receivedTotal, the bid will throw forever, regardless of the passed _amount parameter.
Note that calling bid function is the only way to close the auction, and closing auction is the only way to finalize it, and finalizing it is the only way to claim lot for bidder. Therefore, locking bid function is basically locking the auction lot.
This lock will happen regardless of the number of bidders, bids, and bid amounts. The only requirement is that the price will become low enough without additional bids.

Steps to Reproduce (for bugs)

  1. Start an auction.
  2. Make bids.
  3. Wait until _totalToEndAuction - receivedTotal < 0.

Expected Behavior

Contract should allow to stop the auction.

Current Behaviour

Contract will not allow to make bids or closing auction in any other way.

Possible Solution

Allow to bid with dust amounts even if the _totalToEndAuction - receivedTotal < 0. Alternatively, make a function close which will close the auction if the amount of received tokens is high enough given the current price.

@elenadimitrova elenadimitrova added the bug label Nov 9, 2018
Copy link

@gichiba gichiba commented Nov 9, 2018

Thanks for submitting this issue @Destiner! We've accepted it and will be ranking the severity over the course of the next few days. Hang tight!

@elenadimitrova elenadimitrova added this to the Sprint 12 milestone Nov 9, 2018
@elenadimitrova elenadimitrova self-assigned this Nov 9, 2018
Copy link

@elenadimitrova elenadimitrova commented Nov 9, 2018

Great find @Destiner ! I've managed to reproduce the issue here fix/416-working-with-low-auction-price

Although the issue affects relatively low price auctions, the likelihood of it happening is "Medium" due to this very nature of the low-value nature of the tokens being auctioned.
In terms of analysing the impact, auctions are started to sell off any Network earnings from a given Colony token. They are started at most once per month per Colony token and the amount of tokens constitute ~1% of the value of all completed tasks in that Colony in that month which at the start will be negligible in terms of value. Therefore we deem impact to be "Low".

Likelihood: Medium
Impact: Low
OWASP: Low, but would like to reward you in the higher end of that pay bracket at $1,500.
Rewards are paid out to your GitHub handle via GitCoin please make sure you select "Start work" on it if you haven't already.

Copy link

@collinvine collinvine commented Nov 11, 2018

@Destiner Can you go back to the GitCoin issue and Submit your work so that I can pay you out? Once you do that, I'll send your payment in DAI.

@elenadimitrova elenadimitrova added this to Backlog in Glider Release via automation Nov 12, 2018
@elenadimitrova elenadimitrova modified the milestones: Sprint 12, Sprint 13 Nov 12, 2018
@elenadimitrova elenadimitrova moved this from Backlog to Sprint Backlog in Glider Release Nov 19, 2018
@elenadimitrova elenadimitrova modified the milestones: Sprint 13, Sprint 14 Nov 26, 2018
@elenadimitrova elenadimitrova modified the milestones: Sprint 14, Sprint 15 Dec 10, 2018
@elenadimitrova elenadimitrova removed this from the Sprint 15 milestone Dec 27, 2018
@elenadimitrova elenadimitrova added this to the Sprint 20 milestone Feb 16, 2019
@kronosapiens kronosapiens modified the milestones: Sprint 20, Sprint 21 Mar 5, 2019
Glider Release automation moved this from Sprint Backlog to Done Mar 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants