Summary

In SpiceAuctioncontract, function recoverAuctionTokenForZeroBidAuctionis used to recover the auction tokens if auction is ended and it didn't had any bid. Since, it didn't had any bid, the auction tokens corresponding to that auction can't be claimed by anyone and hence can be recovered by calling recoverAuctionTokenForZeroBidAuction. Only daoExecutorhas the access to call it. The function to recoverAuctionTokenForZeroBidAuctioncan be called multiple times by the daoExecutorfor the same epochIdwith zero bid even if it had already recovered the tokens earlier.

Vulnerability Details

The function recoverAuctionTokenForZeroBidAuctiondoesn't have any checks to ensure that the auctionTokensbeing recovered for epochIdhas already been recovered earlier or not. Due to this, it is possible to call this multiple times for same epochId and drain auctionToken for that epochId. The function should have a check to ensure that it is not possible to recover the tokens multiple times for same epochIdwith zero bid.

Impact

The daoExecutorcan drain the auctionToken corresponding to epochId with zero bids by calling recoverAuctionTokenForZeroBidAuction

Tools Used

Manual review

Recommendations

Update the totalAuctionTokenAmountto 0in the recoverAuctionTokenForZeroBidAuctionfunction to ensure that recovery of auction tokens for same epochId doesn't happen.