TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

TempleGold is unrecoverable for auction epoch that had no bids in it

matejdb

Summary

TempleGold tokens are at risk of being stuck on DaiGoldAuction when an auction epoch has no DAI bids on it.

Vulnerability Details

DaiGoldAuction contract does not handle the case of no DAI bids being made to the contract since they expect that participants are always incentivized to bid, especially if there are no bids so far - then the ONLY bidder takes the entire amount of tokens reserved for that epoch.

But in the case that no bids are made for an epoch - the TempleGold funds reserved for that round become unrecoverable.

This is an edge case that we felt must be addressed.

Vulnerability also stems from the fact that recoverToken() can only be called before the auction starts

Impact

Funds ( TempleGold tokens ) are unrecoverable from DaiGoldAuction contract.

Impact is put as low since an unlikely condition must be met - but after we hear what the sponsors think, we will think of escalating it to a medium.

POC

Paste this in DaiGoldAuction.t.sol

// If no one bids into an x Dai auction, and another auction x+1 starts -> TempleGold funds reserved for tha x auction are lost (unretrievable)
function test_unableToRecoverTempleGoldIfNoDaiBids() public {
_setVestingFactor(templeGold);
skip(10 days);
vm.startPrank(executor);
assertEq(daiGoldAuction.nextAuctionGoldAmount(), 0);
vm.startPrank(executor);
IDaiGoldAuction.AuctionConfig memory config = _getAuctionConfig();
daiGoldAuction.setAuctionConfig(config);
// currentEpochId = 0
daiGoldAuction.startAuction();
IAuctionBase.EpochInfo memory firstEpoch = daiGoldAuction.getEpochInfo(1);
console.logUint(firstEpoch.totalAuctionTokenAmount); // <--- amount of TempleGold to be distributed in this auction
// Auction started
vm.warp(firstEpoch.startTime);
// no bids in this auction
// Admin can not recover tokens since the auction started
vm.expectRevert(abi.encodeWithSelector(IAuctionBase.AuctionActive.selector));
daiGoldAuction.recoverToken(address(templeGold), alice, firstEpoch.totalAuctionTokenAmount);
vm.warp(firstEpoch.endTime + config.auctionsTimeDiff);
// Admin can not recover tokens since the auction ended
vm.expectRevert(abi.encodeWithSelector(IAuctionBase.AuctionEnded.selector));
daiGoldAuction.recoverToken(address(templeGold), alice, firstEpoch.totalAuctionTokenAmount);
// Start another auction
daiGoldAuction.startAuction();
uint256 templeGoldBalance = templeGold.balanceOf(address(daiGoldAuction));
console.logUint(templeGoldBalance); // <---- current templeGold balance after one finished and one started auction
IAuctionBase.EpochInfo memory secondEpoch = daiGoldAuction.getEpochInfo(2);
console.logUint(secondEpoch.totalAuctionTokenAmount); // <--- amount of TempleGold to be distributed in this second auction
vm.expectRevert(abi.encodeWithSelector(CommonEventsAndErrors.InvalidAmount.selector, address(templeGold), templeGoldBalance));
daiGoldAuction.recoverToken(address(templeGold), alice, templeGoldBalance);
// assert confirms that there is an amount of TempleGold equal to firstEpoch.totalAuctionTokenAmount
// that can not be recovered with recoverToken()
assertEq(templeGoldBalance - firstEpoch.totalAuctionTokenAmount, secondEpoch.totalAuctionTokenAmount);
// this goes through -> only funds reserved for second auction can be recovered
daiGoldAuction.recoverToken(address(templeGold), alice, secondEpoch.totalAuctionTokenAmount);
}

Tools Used

foundry, manual review

Recommendations

Implement mechanism for recovering entire balance of TempleGold tokens from DaiGoldAuction contract or implement a mechanism for recovering funds from epochs that haven't had any bids.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Auctioned tokens cannot be recovered for epochs with empty bids in DaiGoldAuction

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.