TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Prevent Self-Referential Recipient in `SpiceAuction::setAuctionConfig`

kildren

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L138

Summary

Setting the recipient in SpiceAuction::setAuctionConfig to the contract's own address can cause BidTokens to be transferred back to the auction contract, leading to circular token transfers and compromising auction integrity. Although SpiceAuction::recoverToken can extract these tokens, this situation is prone to operational errors and may inadvertently increase the total amount of tokens available in subsequent auctions using the same token.

Vulnerability Details

The protocol only specifies a minimum total amount for each auction without setting a fixed quantity. The actual amount of tokens for auction is calculated in SpiceAuction::startAuction

function startAuction() external override {
...
(,address auctionToken) = _getBidAndAuctionTokens(config);
@> uint256 totalAuctionTokenAllocation = _totalAuctionTokenAllocation[auctionToken];
@> uint256 balance = IERC20(auctionToken).balanceOf(address(this));
@> uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);
if (config.activationMode == ActivationMode.AUCTION_TOKEN_BALANCE) {
if (config.minimumDistributedAuctionToken == 0) { revert MissingAuctionTokenConfig(); }
}
if (epochAuctionTokenAmount < config.minimumDistributedAuctionToken) { revert NotEnoughAuctionTokens(); }
// epoch start settings
// now update currentEpochId
epochId = _currentEpochId = _currentEpochId + 1;
EpochInfo storage info = epochs[epochId];
uint128 startTime = info.startTime = uint128(block.timestamp) + config.startCooldown;
uint128 endTime = info.endTime = startTime + config.duration;
@> info.totalAuctionTokenAmount = epochAuctionTokenAmount;
// Keep track of total allocation auction tokens per epoch
_totalAuctionTokenAllocation[auctionToken] = totalAuctionTokenAllocation + epochAuctionTokenAmount;
emit AuctionStarted(epochId, msg.sender, startTime, endTime, epochAuctionTokenAmount);
}

The code reveals that the total amount for each auction is directly correlated with the contract's balance of that token. If TokenA is first used as a BidToken in one auction and then as an AuctionToken in a subsequent auction, failure to withdraw the TokenA proceeds from the previous auction promptly will result in these proceeds being automatically included in the next auction.

Impact

  1. Unexpected Auction Volume Increase: The total volume of TokenA in subsequent auctions may exceed expectations due to the inclusion of previous auction proceeds.

  2. Token Distribution Imbalance: This could lead to an over-distribution of TokenA compared to the original tokenomics plan.

  3. Project Fund Leakage: The project team might inadvertently reinvest auction proceeds that were intended for their treasury.

  4. Operational Complexity: The project team would need to manage post-auction withdrawals more meticulously, adding to operational overhead.

  5. Potential for Exploitation: If discovered by malicious actors, this could be leveraged to manipulate the auction process or token distribution.

Tools Used

Manual Review.

Recommendations

To mitigate the identified risk, implement the following safeguards in the SpiceAuction::setAuctionConfig function:

  1. Add a validation check for the recipient address:

    • Ensure it is not set to the contract's own address.

    • Verify that it points to a designated treasury address or an approved external wallet.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.