TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Inadequate Handling of Zero Bid Auctions token recovery in `recoverAuctionTokenForZeroBidAuction`

pelz

Summary

The spiceAuction.sol contract has a function recoverAuctionTokenForZeroBidAuction that allows the DAOExecutor to recover tokens from auctions with no bids. However, the function does not reset the totalAuctionTokenAmount for the specified epoch, enabling the DAOExecutor to repeatedly recover tokens from the same epoch if the totalAuctionTokenAllocation is sufficient.

Vulnerability Details

The recoverAuctionTokenForZeroBidAuction function in spiceAuction.sol is defined as follows:

function recoverAuctionTokenForZeroBidAuction(uint256 epochId, address to) external override onlyDAOExecutor {
if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
// has to be valid epoch
if (epochId > _currentEpochId) { revert InvalidEpoch(); }
// epoch has to be ended
EpochInfo storage epochInfo = epochs[epochId];
if (!epochInfo.hasEnded()) { revert AuctionActive(); }
// bid token amount for epoch has to be 0
if (epochInfo.totalBidTokenAmount > 0) { revert InvalidOperation(); }
SpiceAuctionConfig storage config = auctionConfigs[epochId];
(, address auctionToken) = _getBidAndAuctionTokens(config);
uint256 amount = epochInfo.totalAuctionTokenAmount; // @audit epochInfo.totalAuctionTokenAmount doesn't get reset to 0.
_totalAuctionTokenAllocation[auctionToken] -= amount;
emit CommonEventsAndErrors.TokenRecovered(to, auctionToken, amount);
IERC20(auctionToken).safeTransfer(to, amount);
}

The vulnerability arises because the function does not reset epochInfo.totalAuctionTokenAmount to zero after transferring the tokens. This omission allows the DAOExecutor to repeatedly invoke this function and recover the same tokens multiple times if _totalAuctionTokenAllocation[auctionToken] is sufficient. There is also no way for the dao executor to know if the tokens for an epoch with zero bids has been recovered successfully due to the way the event is emitted without data of the epoch.

Impact

The impact of this vulnerability includes:

  1. Repeated Token Recovery: The DAOExecutor can continuously recover tokens from the same epoch, leading to potential depletion of auctionToken or templeGold tokens from the contract.

Recommendations

  1. Reset totalAuctionTokenAmount: Ensure that the totalAuctionTokenAmount for the specified epoch is reset to zero after tokens are recovered and ensure amount isn't zero to prevent repeated recovery from the same epoch.

    Example fix:

    function recoverAuctionTokenForZeroBidAuction(uint256 epochId, address to) external override onlyDAOExecutor {
    if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
    // has to be valid epoch
    if (epochId > _currentEpochId) { revert InvalidEpoch(); }
    // epoch has to be ended
    EpochInfo storage epochInfo = epochs[epochId];
    if (!epochInfo.hasEnded()) { revert AuctionActive(); }
    // bid token amount for epoch has to be 0
    if (epochInfo.totalBidTokenAmount > 0) { revert InvalidOperation(); }
    SpiceAuctionConfig storage config = auctionConfigs[epochId];
    (, address auctionToken) = _getBidAndAuctionTokens(config);
    uint256 amount = epochInfo.totalAuctionTokenAmount;
    epochInfo.totalAuctionTokenAmount = 0; // Reset the amount to prevent further recovery
    // Add check to ensure amount is not zero
    if(amount = 0){
    revert("Already Claimed");
    }
    _totalAuctionTokenAllocation[auctionToken] -= amount;
    emit CommonEventsAndErrors.TokenRecovered(to, auctionToken, amount);
    IERC20(auctionToken).safeTransfer(to, amount);
    }
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

pelz Submitter
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.