Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Programmable Derivatives>High findings>Bidders are unable to claim the expected amount of reserve tokens
GeneralOverview
Findings
Critical (2)
High (9)Decimals of the data in the function latestRoundDataThe function getOraclePrice may return an incorrect priceIncorrect PreDeposit rewardClaim function could be broken by timing attackLack of handling of auction failuresBidders are unable to claim the expected amount of reserve tokensDistribution's claim function does not update storage variablesHuge bid could cause overflow in subsequent bidsNumber of coupon tokens obtained from the auction may differ from number of coupon tokens to be distributed
Medium (4)
Low (3)
Informational (2)
DiscussionInconsistencies between documentation and implementation
Threat ModelWhat are threat models?Auction.solBalancerOracleAdapter.solBondToken.solDistributor.solLeverageToken.solOracleReader.solPool.solPoolFactory.solPreDeposit.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Bidders are unable to claim the expected amount of reserve tokens

High Severity
High Impact
High Likelihood

Description

During the auction period, bidders place their bids, specifying a quantity of coupon tokens they are willing to pay and a quantity of reserve tokens they are willing to receive, corresponding to the sellCouponAmount and buyReserveAmount fields in the structure Bid, respectively.

function bid(uint256 buyReserveAmount, uint256 sellCouponAmount) external auctionActive returns(uint256) {
    // [...]

    // Transfer buy tokens to contract
    IERC20(buyCouponToken).transferFrom(msg.sender, address(this), sellCouponAmount);

    Bid memory newBid = Bid({
      bidder: msg.sender,
      buyReserveAmount: buyReserveAmount,
      sellCouponAmount: sellCouponAmount,
      // [...]
    });

    // [...]
}

Bidders transfer sellCouponAmount amount of coupon tokens to the contract, but if the auction succeeds, they can only claim sellCouponAmount amount of reserve tokens.

function claimBid(uint256 bidIndex) auctionExpired auctionSucceeded external {
    Bid storage bidInfo = bids[bidIndex];
    // [...]

    bidInfo.claimed = true;
    IERC20(sellReserveToken).transfer(bidInfo.bidder, bidInfo.sellCouponAmount);

    emit BidClaimed(bidInfo.bidder, bidInfo.sellCouponAmount);
}

Impact

If the auction succeeds, the auction contract will receive totalSellReserveAmount amount of reserve tokens, which is the sum of the buyReserveAmount in all valid bids. Bidders can claim sellCouponAmount amount of reserve tokens, which does not match the expected buyReserveAmount. Meanwhile, the sum of the sellCouponAmount in valid bids differs from the totalSellReserveAmount, which may cause some bidders to not be able to claim due to insufficient reserve tokens in the auction contract, or the remaining reserve tokens may be locked in the contract.

Recommendations

Change the amount of reserve tokens transferred in the function claimBid from sellCouponAmount to buyReserveAmount.

Remediation

This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit bf3ab7d5.

Zellic © 2025Back to top ↑