Seller can skip low rate bidders

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L256

Vulnerability details

Impact

Let us say k1 is the private key of a seller, and k2 is the private key of a bidder.
The sharepoint between them is G^k1^k2 = G^k2^k1, and G^k2 is the public key of the bidder, so the sharepoint = (public key of the bidder) ^ (private key of the seller).

It means that the seller can decrypt all bid prices using his private key during the bid process before reveal stage. Of course the seller's address is blocked in bid function here, but the seller can place a bid using another address with whole knowledge of other's price.

So the seller can skip low rate bidders for high income, and bidders cannot get expected base tokens because the seller knows their price.

Proof of Concept

Let us say totalBaseAmount = 2 for an auction, and there are two bids.

Alice: quoteAmount = 2, baseAmount = 1

Bob: quoteAmount = 1, baseAmount = 1

The finish rate is 1, so the seller will get 2 quote tokens from 2 base token. But the seller knows all these prices during auction, so he can place another bid for better income.

Seller(using other address): quoteAmount = 2, baseAmount = 1

In this case, the finish rate is 2, so the seller will spend 2 quote tokens for 1 base token, and then get 4 quote token from 2 base token. As a result, he will get 2 quote tokens from only 1 base token, and he can get same quote tokens from less base token.

Bob's bid cannot be filled because the seller knows his price before the auction is ended.

Tools Used

Manual Review

Recommended Mitigation Steps

Introduce a system that the seller can't know the bidder's price before the end of an auction.

[c4-judge]

0xean marked the issue as duplicate

[c4-judge]

0xean marked the issue as duplicate of #170

[c4-judge]

0xean marked the issue as satisfactory