HashRegistrarSimplified.sol: Would it be possible to win a bid without depositing sufficient ether? #49
I'm sure I'm just missing something dumb. So apologies in advance!
Via shaBid(bytes32 hash, address owner, uint value, bytes32 salt), I can create a bid for associated with any value that I please. This value is part of the hash. I will always use this value to identify the bid. No ether is sent.
Via newBid(bytes32 sealedBid), I enter my bid into the auction. I may pay ether here, but there is no enforced relationship between the amount of ether I pay and the value I have declared when defining the bid. The value of my Deed will be defined by the amount I have paid, and the deed will own that amount.But this may not be the value I declared when defining the bid.
When I call
However, when checking to see if I have won the auction (or if I have bid at least the minimum price), the declared value
So it looks to me like I could win auctions by declaring very high values but underfunding them (and unsealing my bids late in the reveal period, since my low actually-paid value becomes an easily displaceable
I really do apologize for wasting your time if there is a constraint that I am not seeing that prevents this! I've tested nothing, I'm just trying to understand the code.
p.s. Thank you very much Martin Koeppelmann and Stefan George for taking a look at this! Any mistakes are obviously all my own, but they provided an extremely helpful quick review.
The text was updated successfully, but these errors were encountered:
Thank you for spotting this. I didn't get a chance to update the bug last night, but I was able to reproduce it with a unittest more or less immediately, and once I did so, contacted the other keyholders to postpone the launch. We'll fix this bug - obviously - but also back off and improve our testing processes, write a postmortem, then reschedule a launch.
Thank you again for finding this before it became a major issue.