auctionTokens for zero bid auction can be recovered multiple times
Summary
In SpiceAuctioncontract, function recoverAuctionTokenForZeroBidAuctionis used to recover the auction tokens if auction is ended and it didn't had any bid. Since, it didn't had any bid, the auction tokens corresponding to that auction can't be claimed by anyone and hence can be recovered by calling recoverAuctionTokenForZeroBidAuction. Only daoExecutorhas the access to call it. The function to recoverAuctionTokenForZeroBidAuctioncan be called multiple times by the daoExecutorfor the same epochIdwith zero bid even if it had already recovered the tokens earlier.
Vulnerability Details
The function recoverAuctionTokenForZeroBidAuctiondoesn't have any checks to ensure that the auctionTokensbeing recovered for epochIdhas already been recovered earlier or not. Due to this, it is possible to call this multiple times for same epochId and drain auctionToken for that epochId. The function should have a check to ensure that it is not possible to recover the tokens multiple times for same epochIdwith zero bid.
Impact
The daoExecutorcan drain the auctionToken corresponding to epochId with zero bids by calling recoverAuctionTokenForZeroBidAuction
Tools Used
Manual review
Recommendations
Update the totalAuctionTokenAmountto 0in the recoverAuctionTokenForZeroBidAuctionfunction to ensure that recovery of auction tokens for same epochId doesn't happen.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.