TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

First DAI gold auction can be used to DOS the contract and grief users

pyro

Summary

First DaiGoldAuction can be used to DOS the contract and grief users

Vulnerability Details

In DaiGoldAuction, the startAuction function allows anyone to start an auction if the auctionStarter is not set (i.e., address(0)). This vulnerability arises because auctionStarter is always initialized to address(0).

A user can start an auction immediately after the contract is created because auctionStarter is address(0) and auctionConfig is empty. When the contract is created and a user calls startAuction, all checks pass since prevAuctionInfo and config are empty (all uint values are set to 0).

This results in an auction with 0 totalGoldAmount, a startTime of now, and an endTime in 1 week.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L120-L123

// info.startTime = block.timestamp + 0 | info.endTime = startTime + 1 weeks
uint128 startTime = info.startTime = uint128(block.timestamp) + config.auctionStartCooldown;
uint128 endTime = info.endTime = startTime + AUCTION_DURATION;

Issues that arise:

  1. If bidders bid, their tokens will be wasted as the auction allocation is 0 and below auctionMinimumDistributedGold (which is 0 because the config is not initialized).

  2. setAuctionConfig and setAuctionStarter don't work when there is an ongoing auction:

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L69

if (!epochs[_currentEpochId].hasEnded()) { revert InvalidOperation(); }

This means that if such an auction is started, it can be kept running indefinitely by an attacker who front-runs the next setAuctionStarter or setAuctionConfig call with startAuction and starts a new auction (this time with some tokens).

Example scenario:

  1. DaiGoldAuction is created.

  2. Alice front-runs the call to setAuctionConfig with startAuction, starting an auction.

  3. The admin's call to setAuctionConfig reverts. The system now needs to wait 1 week to set the config.

  4. Alice front-runs the next call again with startAuction.

POC

https://gist.github.com/0x3b33/32c89ff667624b66951cf8dd8de261fe
Paste in: protocol/test/forge/templegold/<name>.t.sol
Run with: forge test --match-test test_brick_contract -vvvv

Impact

DaiGolAuction is DOSed for at least a week, most likely more. Some users to lose their tokens.

Tools Used

Manual review

Recommendations

Initialize auctionStarter as address(1) to disable startAuction's free calls . Another option is to set the config in the constructor. Ensure the config is set before users are allowed to start auctions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

`startAuction` the second the DaiGoldAuction is deployed can be used to DOS the contract

Appeal created

pyro Submitter
11 months ago
inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

`startAuction` the second the DaiGoldAuction is deployed can be used to DOS the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.