L-01. Stakers are participating in governance by default

Vulnerability Details

The documentation says that

But the implementation of the staking feature implicitely forces the staker to set the delegate to himself when he doesn't stake for another address. If the staker doesn't want to participate in governance, his has to deliberately delegate to address(0).
Which goes against the protocol behavior according to the documentation.

Recommendations

When a user stake for himself by calling TempleGoldStaking::stake function, delegate his vote to address(0).

L-02. DaiGoldAuction is missing function for recovering blocked TGLD after all depositors have clamed their shares

Vulnerability Details

When calculating the amount of TGLD that can be claimed by a depositor, the DaiGoldAuction::claim() function rounds down to save shares in the protocol.
This can lead to a tiny amount of TGLD being locked into this contract at any one time, meaning losses that the contract was intended to protect. This amount can be significant as the auction progresses.

Recommendations

Add a function for recovering remaining TGLD after depositors have been claimed their shares. This function should be decorated by the onlyElevatedAccess modifier.

L-03. Missing check for _spiceToken different from _templeGold

Vulnerability Details

In the SpiceAuction contract, there is no check to ensure that spiceToken is different from templeGold.

Recommendations

Add a check for _spiceToken != _templeGold and revert if they are the same.