Summary

TempleGold tokens are distributed to DaiGoldAuction contract. The same contract has a mechanism for recovering those tokens (see recoverToken() function). Due to contract design, those funds can not be re-distributed on the same contract - which is expected.

Vulnerability Details

Vulnerability for breaking this functionality stems from the fact that auction contract only distributes funds received from TempleGold contract. When that contract distributes funds it calls the notifyDistribution(uint256) function and account for the amount in an auction storage variable called nextAuctionGoldAmount. This variable is the auctions contract only source of truth for the amount of funds on the contract. Therefore, it does not know about other funds - received from whatever sources - so there is no way to send funds to it for distribution.

The auction contract could use the recovered funds if it used templeGold.balanceOf(address(this)) for keeping track of funds.

Reusing recovered funds in future auctions confirmed by sponsor in private discord thread:

us: also, lets say you recover half of the TempleGold from the contract to some address - what do you do with the recovered tokens?

sponsor: we either redirect it back to DaiGoldAuction or staking or for other incentivizes. But I do believe DaiGoldAuction would need to have back it's deserved allocation

Impact

Recovered TempleGold funds from DaiGoldAuction contract can not be reused on the same contract.

Tools Used

manual review

Recommendations

Design a mechanism for receiving recovered TempleGold tokens. It can be a simple function that transfers and accounts for transferred funds.