TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

removeAuctionConfig can't remove the first added SpiceAuctionConfig

cryptomoon

Summary

In SpiceAuction, removeAuctionConfigis used to remove auction config for last epoch. But it doesn't delete the first added configuntil it's started and starting an auction requires config.minimumDistributedAuctionTokento be added in the contract.

Vulnerability Details

The function removeAuctionConfighas following check to ensure that it doesn't delete the configwhen _currentEpchId == 0. https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L112-L113

// _currentEpochId = 0

if (info.startTime == 0) { revert InvalidConfigOperation(); }

However, the configwill be added from index 1in auctionConfigsarray.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L101-L102

currentEpochIdCache += 1;

auctionConfigs[currentEpochIdCache] = _config;

Due to this, to remove the auctionConfigs[1], it will need to be started first by calling startAuctionand sending auctionTokens more than config.minimumDistributedAuctionToken in the SpiceAuction contract. Once the auction is started but in cooldown(not active yet),daoExecutorwill be able to removethat auction by calling removeAuctionConfigwhich will remove the auctionConfig. However, if cooldowncan be 0, it may be the case that deletion of first added auction config won't be possible.

TLDR: removeAuctionConfiggives a way to remove the auctionConfigwhich is next to the _currentEpochIdbut it will not be usable in case of first added auction config.

Steps to Reproduce:

1) daoExecutoradds the first config by calling setAuctionConfig.

2) daoExecutorwants to remove the config added in step 1 and calls removeAuctionConfigbut it reverts.

3) daoExecutorneeds to start the auction by sending funds greater than config.minimumDistributedAuctionToken

4) daoExecutornow calls removeAuctionConfigagain to remove the config set in step 1.

It should be clear that step 4 would only work if config.cooldownis non-zero. In other case, it won't be possible to delete the added config by daoExecutor.

Impact

removeAuctionConfigfunction doesn't work as intended and it may require some extra steps along with sending the funds to start an auction to remove the added config

Tools Used

Manual review

Recommendations

The project will need to remove the following check from removeAuctionConfig.

if (info.startTime == 0) { revert InvalidConfigOperation(); }

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`removeAuctionConfig` can't remove the first added `SpiceAuctionConfig` which in the end leads to inability to recover the funds associated to that auction

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.