Ripe Macaroon Jellyfish
Medium
The NounsAuctionHouseV3::createBid() does not check if a Noun is reserved for the Nounders and hence anybody can win the reserved noun token.
According to the documentation, every 10th Noun is reserved for the Nounders for the first five years but there is no check in createBid() function to prevent anyone from creating a bid and winning these tokens.
In NounsAuctionHouseV2 and NounsAuctionHouseV3, the createBid() functions are missing a check to prevent anyone from creating a bid for the reserved noun tokens.
The impact is that the Nounders will not get their reserved rewards.
Paste the code in the test file.
function test_createBid_revertsGivenReservedNounId() public {
// change the current nounId to be a multiple of 10
uint128 nounId = auction.auction().nounId;
vm.expectRevert("Reserved Noun");
auction.createBid(nounId);
} function createBid(uint256 nounId, uint32 clientId) public payable override {
INounsAuctionHouseV2.AuctionV2 memory _auction = auctionStorage;
(uint192 _reservePrice, uint56 _timeBuffer, uint8 _minBidIncrementPercentage) = (
reservePrice,
timeBuffer,
minBidIncrementPercentage
);
+ require(_auction.nounId % 10 != 0, "not authorized to mint this token");
require(_auction.nounId == nounId, 'Noun not up for auction');
require(block.timestamp < _auction.endTime, 'Auction expired');
require(msg.value >= _reservePrice, 'Must send at least reservePrice');
require(
msg.value >= _auction.amount + ((_auction.amount * _minBidIncrementPercentage) / 100),
'Must send more than last bid by minBidIncrementPercentage amount'
);