TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

USER_FIRST_BID is not supported by the SpiceAuction contract.

touthang

Summary

We have two types of activation mode:

enum ActivationMode {
/// @notice Auction is enabled and awaiting start if amount of auction token is sent to contract
AUCTION_TOKEN_BALANCE,
/// @notice Enable auction when user bids for other volatile token
USER_FIRST_BID
}

but regardless of this the contract activates the auction in the startAuction function.

if (config.activationMode == ActivationMode.AUCTION_TOKEN_BALANCE) {
if (config.minimumDistributedAuctionToken == 0) { revert MissingAuctionTokenConfig(); }
}
if (epochAuctionTokenAmount < config.minimumDistributedAuctionToken) { revert NotEnoughAuctionTokens(); }

it only checks that there is enough tokens when mode is in AUCTION_TOKEN_BALANCE.

Vulnerability Details

Incase the activation mode is set to USER_FIRST_BID the auction can be started even with 0 auction tokens rewards.
But there is no accounting mechanism that will update the _totalAuctionTokenAllocation when the activation mode is USER_FIRST_BID.

Since it is a valid way to start an auction a user may be hoping to get the future incoming rewards from the TGLD contract and bid tokens.
But since there is no way to increase the allocated reward for the auction, any user who bids for an auction that was started using the USER_FIRST_BID can bid for 0 rewards.

Impact

Users can lose their bids.

Tools Used

manual

Recommendations

Implement a mechanism to update the _totalAuctionTokenAllocation for auctions started using the USER_FIRST_BID as activation mode.

OR remove the ActivationMode completely if it is not intended to be used.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.