TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

A malicious user can DOS others and create almost a monopoly

0xthanos

Summary

In the SpiceAuction: bid() function we use the balanceOf() function before and after the safeTransferFrom() to check the amount but that introduces vulnerabilities of A DOS attack.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L183-L203

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);
IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);
uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);
// fee on transfer tokens
if (amount != _bidTokenAmountAfter - _bidTokenAmountBefore) {
revert CommonEventsAndErrors.InvalidParam();
}

Consider this scenario:

1.Bob bids 1 ether
2.Alice attempts to bid 2 ether
3.Bob manages to send 1 Wei to the _recipient just before the IERC20(bidToken).balanceOf(_recipient) happens
4.The _recipent balance is now 1 ether and 1Wei
5.Alice's bid(2 ether) call reverts because:

_bidTokenAmountAfter - _bidTokenAmountBefore = 2 Ether and 1 Wei
amount = 2 Ether

So Bob can keep doing this and DOSing as many users as he can to increase the percentage of the TGLD he gets

Impact

High

Tools Used

manual review

Recommendations

1.Implement a minimum bid amount to increase the cost of the attack in order to discourage attackers
OR
2.Change the check from != to<

--if(amount != bidTokenAmountAfter - bidTokenAmountBefore)
++if(amount < bidTokenAmountAfter - bidTokenAmountBefore)
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.