TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Front-Running Risk in `startAuction` Function of `DaiGoldAuction` Contract

Fortis Audits

Summary:

The DaiGoldAuction contract allows anyone to start an auction if the auctionStarter address is not set, which opens up the potential for front-running. This can result in an auction being started prematurely or by an unintended actor, leading to potential disruption of the auction process and misuse of contract functionality.

Vulnerability Detail:

The vulnerability is in the startAuction function where it checks if the auctionStarter address is set. If it is not set, any user can start the auction. This creates a window where malicious actors can front-run the auction start before the intended auctionStarter is assigned.

Code Snippet:

/**
* @notice Start auction. Auction start can be triggered by anyone if `auctionStarter` not set
* @dev The Temple Gold amount for the auction is fixed and set at startAuction().
* So in `startAuction()`, there is a call to `_distributeGold()` to mint and distribute TGOLD.
* Any other `_distributeGold()` calls during auction is tracked for next auction use.
*/
function startAuction() external override {
if (auctionStarter != address(0) && msg.sender != auctionStarter) revert CommonEventsAndErrors.InvalidAccess();
EpochInfo storage prevAuctionInfo = epochs[_currentEpochId];
if (!prevAuctionInfo.hasEnded()) revert CannotStartAuction();
AuctionConfig storage config = auctionConfig;
/// @notice last auction end time plus wait period
if (_currentEpochId > 0 && (prevAuctionInfo.endTime + config.auctionsTimeDiff > block.timestamp)) {
revert CannotStartAuction();
}
_distributeGold(); // mints temple gold
uint256 totalGoldAmount = nextAuctionGoldAmount;
nextAuctionGoldAmount = 0;
uint256 epochId = _currentEpochId = _currentEpochId + 1;
if (totalGoldAmount < config.auctionMinimumDistributedGold) revert LowGoldDistributed(totalGoldAmount);
EpochInfo storage info = epochs[epochId];
info.totalAuctionTokenAmount = totalGoldAmount;
uint128 startTime = info.startTime = uint128(block.timestamp) + config.auctionStartCooldown;
uint128 endTime = info.endTime = startTime + AUCTION_DURATION;
emit AuctionStarted(epochId, msg.sender, startTime, endTime, totalGoldAmount);
}

Impact:

This vulnerability can lead to the following issues:

  1. Premature Auction Start: An auction can be started before the intended configuration and preparatory steps are completed, potentially leading to an unfair or unplanned auction process.

  2. Malicious Actors: Malicious actors can exploit this window to manipulate the auction start for their benefit, potentially disrupting the auction's integrity and fairness.

  3. Operational Disruption: The auction process could be disrupted, causing delays and additional administrative overhead to correct the unintended actions.

Tools Used:

Manual code review

Foundry

Recommendations:

  1. Set auctionStarter Before Deployment: Ensure that the auctionStarter is set during contract deployment or initialization phase, removing the window for front-running.

  2. Temporary Disablement: Temporarily disable the startAuction function until auctionStarter is set, ensuring only the designated starter can trigger the auction.

  3. Access Control Check: Implement a stricter access control mechanism to ensure only authorized entities can call startAuction, even if auctionStarter is not set initially.

By addressing this vulnerability, the integrity and reliability of the auction process can be significantly enhanced, preventing misuse and ensuring fair participation.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

`startAuction` the second the DaiGoldAuction is deployed can be used to DOS the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.