TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Fee on transfer token calculation is incorrect

ke1cam

Vulnerability details

Fee on Transfer token is a token that takes a percentage of sent amount as a fee.

Bid function in SpiceAuction contract correctly calculates the amount of received tokens by recipient. However the following check leads to denial of service every time these tokens are used.

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);

IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);

uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);

// fee on transfer tokens

if (amount != _bidTokenAmountAfter - _bidTokenAmountBefore) { revert CommonEventsAndErrors.InvalidParam(); }

When user places a bid the amount of tokens are transfered from his address. When this token is fee on tranfer token, a fee will be subtracted from that amount. The recipient will receive amount - fee tokens. _bidTokenAmountAfter - _bidTokenAmountBefore will always be different (smaller) than amount. This function will always revert for fee on transfer tokens.

Impact

Spice auction will not work with fee on transfer tokens. Current implementation of bid function leads to DoS every time a fee on transfer token is used.

Recommended Mitigation Steps

Here is a pseudocode with possible fix:

function bid(uint256 amount) external virtual override {

/// @dev Cache, gas savings

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

if(!info.isActive()) { revert CannotDeposit(); }

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

SpiceAuctionConfig storage config = auctionConfigs[epochId];

(address bidToken,) = _getBidAndAuctionTokens(config);

address _recipient = config.recipient;

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);

IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);

uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);

// fee on transfer tokens

- if (amount != _bidTokenAmountAfter - _bidTokenAmountBefore) { revert CommonEventsAndErrors.InvalidParam(); }

- depositors[msg.sender][epochId] += amount;

+ amount = _bidTokenAmountAfter - _bidTokenAmountBefore;

+ depositors[msg.sender][epochId] += amount;

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochId, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.