`SpiceAuction::removeAuctionConfig` cannot be called for starting auction as it reverts due to startTime check
Relevant Github Links
Summary
The removeAuctionConfig function is expected to reset an auction config either for an auction that is in cooldown phase or for an auction for which config is set but startAuction is not called.
Vulnerability Details
The vulnerability is present in removeAuctionConfig function at line 113 which reverts when startTime for current auction epoch info is 0, but it missed the scenario where for the very first auction, as when config is set then startTime will be 0, as epoch id is not incremented as a result of which config cannot be reset.
For the very first auction config set via setAuctionConfig, the config is updated for the next epoch id, i.e 1, the currentEpochId still stores 0, as it will be updated when startAuction is called.
Now, for the requirement to remove auction config for the very first auction will fail, as it checks for the startTime for the current epoch id to be 0 and as for the current epoch id which is not used, it will always be 0 and as a result of which for the very first auction for which only config is set, the removeAuctionConfig cannot be called.
Impact
removeAuctionConfig will revert for starting auction, and auction config cannot be reset.
Tools Used
Manual Review
Recommendations
Remove the below check from removeAuctionConfig:
Lead Judging Commences
`removeAuctionConfig` can't remove the first added `SpiceAuctionConfig` which in the end leads to inability to recover the funds associated to that auction
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.