TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Potential Reentrancy Vulnerability in `bid` Function

akay

Summary

The bid function in the DaiGoldAuction contract transfers tokens before updating state variables, potentially exposing the contract to reentrancy attacks.

Vulnerability Details

In the bid function , the contract transfers tokens from the user to the treasury before updating the user's deposit amount and the total bid amount for the epoch. This violates the checks-effects-interactions pattern, which is a best practice for preventing reentrancy attacks.

function bid(uint256 amount) external virtual override onlyWhenLive {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
bidToken.safeTransferFrom(msg.sender, treasury, amount);
uint256 epochIdCache = _currentEpochId;
depositors[msg.sender][epochIdCache] += amount;
EpochInfo storage info = epochs[epochIdCache];
info.totalBidTokenAmount += amount;
emit Deposit(msg.sender, epochIdCache, amount);
}

Impact

Anyone could potentially exploit this vulnerability to bid multiple times with the same tokens, artificially inflating their bid amount and diluting other participants' shares of the auction. This could lead to an unfair distribution of Temple Gold and a loss of funds for other participants.

Tools Used

Manual code review

Recommendations

Implement the checks-effects-interactions pattern by updating the contract's state before making external calls. This will significantly reduce the risk of reentrancy attacks and improve the overall security of the contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.