Event emission with wrong parameters in `SpiceAuction::removeAuctionConfig()`
Summary
The SpiceAuction::removeAuctionConfig() emits the AuctionConfigRemoved event with wrong parameters at L#131. The epochId must always be 1 less than the configId (the else block deals with the case where auction config is set but the auction hasn't started yet), however, it is hard-coded to 0.
Vulnerability Details
Consider the following code segment from SpiceAuction::removeAuctionConfig() function,
Suppose the config for the 3rd spice auction is set with id 3. Since the auction hasn't started yet, epoch id is not in sync with the auction id (epoch id is still at 2). This scenario can be generalized to say that for the nth auction id which hasn't started yet, the epoch id is still at (n-1). When the config for auction id 3 is removed, config id should be 3 and epoch id should be 2. The event parameters are defined in ISpiceAuction interface as follows,
Thus, in this case, the epoch id must be one less than the config id.
Impact
Events are used by off-chain services to track contract activities. Incorrect event emission may cause unforseen discrepancies.
Tools Used
Manual review. Foundry.
Recommended Mitigation
Make the following changes in SpiceAuction::removeAuctionConfig(),
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.