TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Funds temporarily stuck in the contract due to unnecessary check in the recoverToken function.

touthang

Summary

Incase removeAuctionConfig is called for the first auction, that is still in the cooldown period. The funds allocated to that auction will be temporarily stuck in the contract because recoverToken reverts when info.startTime == 0.

Vulnerability Details

Suppose the first ever auction for the contract activated and admin calls removeAuctionConfig to recover its funds.
The the _currentEpochId will be set back to 0.

delete auctionConfigs[id];

delete epochs[id];

_currentEpochId = id - 1;

emit AuctionConfigRemoved(id, id);

Now if the admin tries to recover the funds it will revert because, info.startTime is back to 0.

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

/// @dev use `removeAuctionConfig` for case where `auctionStart` is called and cooldown is still pending

if (info.startTime == 0) { revert InvalidConfigOperation(); }

Example:

first auction started but admin decides to recover during the cooldown period:

first auction is activated with 1000 tokens, epochId = 1
still in cooldown period, admin wants to recover tokens
to recover tokens for auctions that are in cooldown period the admin needs to call removeAuctionConfig first to delete the current, this sets back _currentEpochId to 0.
admin calls recoverTokens but the check if (info.startTime == 0) { revert will revert the transaction because we are now checking for the info at id 0, which is null.

This check here in unnecessary and actually leads to more problem because;

Contract has never been used as auction but the admin is forced to start atleast the first auction and wait for duration to be able to recover tokens.

if admin created a spice contract
pre sent 1000 auction tokens, since the tokens have to be sent before starting an auction.
but he decides to abandon the contract and wants to use another one
no auction has been started but if he calls recoverTokens to get back the auction tokens it will revert because of the check.
The admin is forced to start the first auction to be able to recover the token.

Impact

funds are temporarily stuck in the contract and cannot be recovered unless a new auction is started.

Reporting this as medium because although the admin can still recover the funds he needs to set and new config, start another auction with atleast a minimum duration and wait for it to end and then recover it.
So, the admin will need 3 separate transactions and also wait for auction duration to end to recover the tokens.

Tools Used

manual

Recommendations

remove the if (info.startTime == 0) { revert InvalidConfigOperation(); } line in the recoverToken function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`removeAuctionConfig` can't remove the first added `SpiceAuctionConfig` which in the end leads to inability to recover the funds associated to that auction

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.