TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`DaiGoldAuction.sol#bid` function has no slippage control.

danielarmstrong

Summary

DaiGoldAuction.sol#bid function has no slippage control.
So the bidders who bid large amount at a time may lose funds.

Vulnerability Details

DaiGoldAuction.sol#bid function is the following.

function bid(uint256 amount) external virtual override onlyWhenLive {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

bidToken.safeTransferFrom(msg.sender, treasury, amount);

uint256 epochIdCache = _currentEpochId;

depositors[msg.sender][epochIdCache] += amount;

EpochInfo storage info = epochs[epochIdCache];

141: info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochIdCache, amount);

}

As can be seen, the function has no slippage control parameter.

Scenario:

Now assume that epochInfo.totalAuctionTokenAmount = 100 TGLD, the expected price of TGLD is 0.1 DAI and epochInfo.totalBidTokenAmount = 5 DAI.
Since the auction is profitable as long as totalBidTokenAmount is less than 10 DAI, bidder1 calls bid function with amount = 5 DAI.
While the tx stays in mempool, bidder2 executes bid function also with amount = 5 DAI.
As a result, the totalBidTokenAmount will be 15 DAI and the bidder1 and bidder2 will receive 33.3 TGLD respectively for their 5 DAI, which means that the bidders lost funds of about 1.66 DAI respectively.

Impact

This issue may damage the bidders who bid large amount of DAI at a time.
The same problem exists in SpiceAuction.sol#bid function too.

Tools Used

Manual Review

Recommendations

Modify the DaiGoldAuction.sol#bid function as follows.

-- function bid(uint256 amount) external virtual override onlyWhenLive {

++ function bid(uint256 amount, uint256 maxTotalBidTokenAmount) external virtual override onlyWhenLive {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

bidToken.safeTransferFrom(msg.sender, treasury, amount);

uint256 epochIdCache = _currentEpochId;

depositors[msg.sender][epochIdCache] += amount;

EpochInfo storage info = epochs[epochIdCache];

info.totalBidTokenAmount += amount;

++ require(info.totalBidTokenAmount <= maxTotalBidTokenAmount);

emit Deposit(msg.sender, epochIdCache, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!