Summary

When the recoverToken function is called, it deletes the entire epoch data, preventing users who haven't yet claimed their tokens from ever being able to do so. This can result in permanent loss of user funds.

Vulnerability Details

In the recoverToken function, the epochId data is deleted:

delete epochs[epochId];

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L284

This operation removes all information related to the specified epoch from the contract's storage.

However, the claim function relies heavily on the existence of epoch data:

EpochInfo storage info = epochs[epochId];
if (info.startTime == 0) { revert InvalidEpoch(); }

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L152C8-L155C60

After epoch deletion, any attempt to claim tokens will result in an InvalidEpoch error, as the startTime for a deleted epoch will be 0.

User deposit information remains in the contract even after epoch deletion:

uint256 bidTokenAmount = depositors[msg.sender][epochId];

However, this information becomes inaccessible and unusable due to the epoch deletion.

Going be the documentation below, it expects depositors to be able to claim their tokens any time after an auction has ended:

"DAI depositors can claim their share of the TGOLD rewards after auction and also retroactively."

https://github.com/TempleDAO/temple/blob/templegold/protocol/contracts/templegold/README.md

But this won't be possible based on the above.

Impact

Users who haven't claimed their tokens before the recoverToken function is called will permanently lose access to their funds.

Tools Used

Manual review

Recommendations

Create a separate mapping for claimable amounts: Instead of relying solely on epoch data, maintain a separate mapping of claimable amounts that persists even after epoch deletion.