TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Non-whitelisted recipient prevent TGLD bidding in `SpiceAuction` contract

merlinboii

Summary

As below, TGLD's whitelist is likely limited to only the following four contracts to retain its status as the non-transferrable ERC20, which may result in overlooking the need to whitelist other contracts required for certain processes.

TGLD can be transferred to whitelisted addresses. These are TempleGoldStaking, DaiGoldAuction, SpiceAuction, and the team gnosis multisig address.

The SpiceAuction contract cannot bid if _recipient/treasury is not whitelisted for TGLD, in cases where _config.isTempleGoldAuctionToken = false (i.e., TGLD is the bidToken).

Vulnerability Details

In the SpiceAuction contract, when the _config.isTempleGoldAuctionToken is set to false, indicating that TGLD is used as the bid token, the TGLD performs a whitelist check on the from: TGLD holders and to: _recipient .

If the _recipient or treasury is not whitelisted, the bidding process fails, preventing any bids from being placed.

// Location: SpiceAuction.sol

function bid(uint256 amount) external virtual override {

/// @dev Cache, gas savings

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

if(!info.isActive()) { revert CannotDeposit(); }

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

SpiceAuctionConfig storage config = auctionConfigs[epochId];

(address bidToken,) = _getBidAndAuctionTokens(config);

address _recipient = config.recipient;

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);

@> IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);

uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);

// fee on transfer tokens

if (amount != _bidTokenAmountAfter - _bidTokenAmountBefore) { revert CommonEventsAndErrors.InvalidParam(); }

depositors[msg.sender][epochId] += amount;

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochId, amount);

}

// Location: SpiceAuction.sol

function _getBidAndAuctionTokens(

SpiceAuctionConfig storage _config

) private view returns (address bidToken, address auctionToken) {

(bidToken, auctionToken) = _config.isTempleGoldAuctionToken

? (spiceToken, templeGold)

: (templeGold, spiceToken);

}

Impact

Users are unable to place bids if the _recipient or treasury is not whitelisted, leading to reduced participation in the auction.

Tools Used

Manual Review

Recommendations

Consider whitelisting the actors that need to be operated, to prevent the issue.

TGLD can be transferred to whitelisted addresses. These are TempleGoldStaking, DaiGoldAuction, SpiceAuction, and the team gnosis multisig address.

Moreover, as mentioned above, the whitelist intentionally allows addresses such as TempleGoldStaking, DaiGoldAuction, SpiceAuction, and the team gnosis multisig. However, the _recipient of the bid token might be a different contract from these four, meaning the whitelist requirement for this _recipient might not be intentional for the protocol.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.