Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Highest Bidder is allowed to withdraw from escrow_payment_account with Auctioneer #843

Open
akkoucai opened this issue Oct 23, 2022 · 0 comments
Open

[Bug]: Highest Bidder is allowed to withdraw from escrow_payment_account with Auctioneer #843

akkoucai opened this issue Oct 23, 2022 · 0 comments
Labels
bug Community investigate Program: Auction House

Comments

@akkoucai
Copy link

Which package is this bug report for?

auction-house

Which Type of Package is this bug report for?

Rust Contract

Issue description

  1. A seller starts an auction with Auctioneer and set up the listing config to not allow highest bidder to cancel its bid,
  2. Someone bids for this auction and become the highest bidder.
  3. The highest bidder withdraw its fund from escrow_payment_account after the auction ends (or before because it doesn't matter here because listing config doesn't update the highest bidder),
  4. The Auction has ended but when the highest bidder tries to execute_sale, it throws an error because the escrow account has insufficient funds.
  5. This may seem logical given the architecture of the program but it would mean that a malicious person could outbid every time as long as they have the funds but they won't suffer any consequences (apart from the transaction fees) from that because they can withdraw their funds as they wish at the end and the seller could end up never being able to auction off their token.

Relevant log output

"Program log: Instruction: AuctioneerExecuteSale"
"Program log: AnchorError occurred. Error Code: InsufficientFunds. Error Number: 6043. Error Message: Insufficient funds in escrow account to purchase.."

Priority this issue should have

High (immediate attention needed)
@akkoucai akkoucai added the bug label Oct 23, 2022
KirillLykov pushed a commit to KirillLykov/metaplex-program-library that referenced this issue Jul 4, 2023
@RohanKapurDEV
Fix AUCTION_HOUSE_SIZE calculation (metaplex-foundation#843)
6e00b0f 
* Fix AUCTION_HOUSE_SIZE calculation

* Move 21 freed bytes to padding

Move 21 freed bytes to padding to maintain account size

* remove duplicate code

* update padding to 220
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Community investigate Program: Auction House
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@austbot @akkoucai