TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

When auction with zero bids happens, all TGLD is stuck

ke1cam

Vulnerability details

In DaiGoldAuction contract, when new auction starts, nextAuctionGoldAmount is set to 0. It means that all of the tokens, from previous auction, can only be claimed by users that participated in that auction and no tokens are being auctioned during new round. It is possible that during an auction there are no bids. In this scenario all of the tokens from that auction are going to be stuck in the DaiGoldAuction.

After auction starts it is not possible to recover TGLD tokens in any way.

Proof of Concept

Add this test to DaiGoldAuction.t.sol inside DaiGoldAuctionTest contract.

function test_auction_without_bids() public {
_setVestingFactor(templeGold);
vm.startPrank(executor);
daiGoldAuction.setAuctionStarter(address(0));
IDaiGoldAuction.AuctionConfig memory _config = _getAuctionConfig();
daiGoldAuction.setAuctionConfig(_config);
skip(1 days);
templeGold.mint();
uint256 tgldBalanceBefore = templeGold.balanceOf(address(daiGoldAuction));
uint128 startTime = uint128(block.timestamp + _config.auctionStartCooldown);
uint128 endTime = startTime + uint128(1 weeks);
uint256 goldAmount = daiGoldAuction.nextAuctionGoldAmount();
daiGoldAuction.startAuction();
IDaiGoldAuction.EpochInfo memory epochInfo = daiGoldAuction.getEpochInfo(1);
assertEq(daiGoldAuction.currentEpoch(), 1);
assertEq(epochInfo.startTime, startTime);
assertEq(epochInfo.endTime, endTime);
assertEq(epochInfo.totalBidTokenAmount, 0);
assertEq(epochInfo.totalAuctionTokenAmount, goldAmount);
vm.warp(epochInfo.endTime + _config.auctionsTimeDiff);
// distribute gold and start second auction
templeGold.mint();
startTime = uint128(block.timestamp + _config.auctionStartCooldown);
endTime = startTime + uint128(1 weeks);
goldAmount = daiGoldAuction.nextAuctionGoldAmount();
daiGoldAuction.startAuction();
epochInfo = daiGoldAuction.getEpochInfo(2);
assertEq(daiGoldAuction.currentEpoch(), 2);
assertEq(epochInfo.startTime, startTime);
assertEq(epochInfo.endTime, endTime);
assertEq(epochInfo.totalBidTokenAmount, 0);
assertEq(epochInfo.totalAuctionTokenAmount, goldAmount);
assertEq(
daiGoldAuction.epochGoldSupply(2),
epochInfo.totalAuctionTokenAmount
);
uint256 tgldBalanceAfter = templeGold.balanceOf(address(daiGoldAuction));
assertGt(tgldBalanceAfter, tgldBalanceBefore);
// Token balance of auction contract is greater than current total auction token amount
// It means that some tokens are now stuck inside contract
assertNotEq(tgldBalanceAfter, epochInfo.totalAuctionTokenAmount);
}

Run forge test --match-test "test_auction_without_bids" -vvvv to see the outputs.

TGLD token balance of the DaiGoldAuction contract is greater than totalAuctionTokenAmount. It means that some tokens are not being auctioned in the next auction and are going to be stuck in the contract.

Impact

When auction with no bids happens, tokens that were supposed to be sold will be stuck in auction contract.

Recommended Mitigation Steps

Create similar function as recoverAuctionTokenForZeroBidAuction inside SpiceAuction contract. Allow it to recover tokens from zero bid auction. When auction has concluded and totalBidTokenAmount == 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Auctioned tokens cannot be recovered for epochs with empty bids in DaiGoldAuction

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.