TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Token Recovery Function Can Lead to Epoch Management Issues

pelz

Summary

The recoverToken function in the DaiGoldAuction.sol contract allows the admin to recover templeGold tokens from the contract. However, when recovering templeGold tokens, the function deletes the current auction epoch’s data, which can lead to potential issues if the startAuction function is called afterward. Specifically, the current epoch is removed, but the currentEpoch variable is not decremented, which can cause inconsistencies and potentially allow the start of a new auction with an empty or invalid epoch.

Vulnerability Details

The recoverToken function in DaiGoldAuction.sol is defined as follows:

function recoverToken(

address token,

address to,

uint256 amount

) external override onlyElevatedAccess {

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (token != address(templeGold)) {

emit CommonEventsAndErrors.TokenRecovered(to, token, amount);

IERC20(token).safeTransfer(to, amount);

return;

}

// auction started but cooldown pending

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

if (info.startTime == 0) { revert InvalidOperation(); }

if (info.isActive()) { revert AuctionActive(); }

if (info.hasEnded()) { revert AuctionEnded(); }

uint256 _totalAuctionTokenAmount = info.totalAuctionTokenAmount;

if (amount > _totalAuctionTokenAmount) { revert CommonEventsAndErrors.InvalidAmount(token, amount); }

/// @dev Epoch data is deleted and leftover amount is added to nextAuctionGoldAmount.

/// so admin should recover total auction amount for epoch if that's the requirement

delete epochs[epochId];

/// @dev `nextAuctionGoldAmount` is set to 0 in `startAuction`.

/// `nextAuctionGoldAmount > 0` if there was a distribution after `auctionStart` called

/// epoch is deleted. so if amount < totalAuctionTokenAmount for epoch, add leftover to next auction amount

unchecked {

nextAuctionGoldAmount += _totalAuctionTokenAmount - amount;

}

emit CommonEventsAndErrors.TokenRecovered(to, token, amount);

templeGold.safeTransfer(to, amount);

}

When templeGold tokens are recovered, the function deletes the current epoch’s data, which can result in:

Invalid Epoch State: Deleting the current epoch data without updating the currentEpoch variable may lead to inconsistencies. The currentEpoch variable still points to a non-existent epoch, which could cause logical errors in functions that depend on this variable.
Unintended Auction Start: If the startAuction function is called after recovering the tokens, it might allow users to start a new auction with an empty epoch, thus breaking the auction logic and potentially allowing an auction with no valid epoch data.

Here’s an example scenario:

Admin recovers templeGold tokens while the current auction epoch has not ended.
The currentEpoch variable still points to the deleted epoch, which is now empty.
A user can call the startAuction function, which may not check for the validity of currentEpoch, allowing an auction to start with invalid data.

Impact

The impact of this vulnerability includes:

Logical Errors in Auction Management: By deleting the current epoch data without updating currentEpoch, the contract may enter an inconsistent state where the currentEpoch variable points to a non-existent or invalid epoch.
Potential for Invalid Auctions: An attacker or unintended user might exploit this state to start a new auction when no valid auction epoch exists, potentially disrupting the auction process and causing confusion.

Recommendations

Update Epoch Management: When recovering templeGold tokens, ensure that the currentEpoch variable is decremented to point to the previous valid epoch, if applicable. This can be done by adding a step to adjust currentEpoch after deleting the epoch data.

Example fix:

delete epochs[epochId];
if (_currentEpochId > 0) {
_currentEpochId--;
}
nextAuctionGoldAmount += _totalAuctionTokenAmount - amount;
Add Epoch Validity Checks: Ensure that the startAuction function checks the validity of currentEpoch and prevents the creation of a new auction if currentEpoch points to a non-existent or invalid epoch.

Updates

Lead Judging Commences

inallhonesty Lead Judge

12 months ago

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.