TempleGold

Summary

Multiple contracts constructors are not validating the params including DaiGoldAuction, SpiceAuction, SpiceAuctionFactory, TempleGold, TempleGoldAdmin, and TempleGoldStaking. The constructors in these contracts lack proper validation for input parameters. Failure to validate constructor parameters can lead to various security vulnerabilities, including the initialization of contracts with invalid or malicious addresses and values. This report details the identified issue, its potential impact, and recommendations for remediation.

Vulnerability Details

The constructor of the DaiGoldAuction contract initializes critical contract variables without validating the provided addresses. Specifically, the following parameters are not checked:

• _templeGold

• _bidToken

• _treasury
  This lack of validation allows the contract to be deployed with invalid or malicious addresses, potentially leading to severe security risks.

An attacker could exploit the lack of validation in the SpiceAuction:constructor to deploy the contract with arbitrary addresses for _templeGold, _spiceToken, and _daoExecutor. This can lead to loss of funds if the contract is not correctly initialized.

If the _templeGold or _daoExecutor addresses are not correctly initialized during deployment of SpiceAuctionFactory, it could prevent the factory from creating valid Spice Auction contracts or interfacing correctly with the Temple ecosystem. This might result in operational disruptions or the inability to manage auctions properly.

In TempleGold, if _initArgs parameters such as _mintChainId, _name, _symbol, _layerZeroEndpoint, or _executor are not correctly validated, it could lead to operational disruptions or security vulnerabilities during the initialization of the contract. For instance, incorrect _mintChainId could lead to improper chain-specific operations.

Without proper validation, there's a risk that the TempleGoldAdmin contract could be initialized with incorrect or unexpected contract addresses, potentially exposing users to operational risks or security vulnerabilities during administrative operations related to TempleGold.

Invalid parameters can cause runtime errors or unexpected behaviors during contract execution. This may lead to disruptions in the TempleGoldStaking contract's operation, affecting its ability to perform its intended functions or to interact correctly with other contracts and users.

Impact

In some contracts these params can lead to permanent DOS if not set properly. Initializing contracts with zero or invalid addresses can lead to loss of funds, inability to execute critical functions, and overall malfunction of the contract. sing malicious addresses during deployment can expose the contract to unauthorized access and exploitation, resulting in potential loss of assets and control.

Tools Used

Manual Review

Recommendations

To mitigate these issues, it is essential to implement proper validation for all constructor parameters.