Potential Lock of TGLD Tokens in Zero-Bid Auctions in DaiGoldAuction Due to `recoverToken` Not Allowed on Past Auctions
Summary
The recoverToken function in the DaiGoldAuction contract uses the _currentEpochId to identify the epoch from which to recover tokens. This design can permanently lock TGLD tokens if a zero-bid auction is not processed before the next auction starts.
Vulnerability Details
The recoverToken function is designed to recover TGLD tokens from auctions that have not started or are in a cooldown period. It uses _currentEpochId to identify the relevant epoch:
If an auction ends with zero bids and the admin doesn't recover the tokens before the next auction starts (which increments _currentEpochId), the tokens from the previous auction become unrecoverable and forever locked in the contract.
Note: The risk is exacerbated by the fact that an auction can potentially be started by anyone if auctionStarter is set to 0, and auctionsTimeDiff can be as low as 1 second. In such cases, as soon as a 0-bid auction ends, another auction could be started by anyone just 1 second later, thus permanently locking the tokens in the contract before the admin has a reasonable chance to recover them.
Impact
Permanent loss of funds.
Recommendations
Modify the recoverToken function to accept an epochId parameter, allowing recovery from specific past epochs.
Lead Judging Commences
Auctioned tokens cannot be recovered for epochs with empty bids in DaiGoldAuction
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.