Summary

The function incorrectly transfers templeGold tokens to an arbitrary "to" address instead of returning them to the templeGold contract address.

Vulnerability Details

In the recoverToken function, templeGold tokens are transferred to an arbitrary address:

templeGold.safeTransfer(to, amount);

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L293

And there is no check that the "to" address is the templeGold contract address.

This transfer does not align with the token distribution mechanism described in the startAuction function.

The startAuction function includes a call to _distributeGold(), which mints and distributes templeGold tokens to the DaiGoldAuction contract:

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L113

This indicates that templeGold tokens should originate from and return to the templeGold contract.

Impact

There is potential loss of tokens meant for users who don't claim their tokens immediately after an auction ends. Also, there would be inconsistency between the amount of tokens minted by templeGold and the amount available in the ecosystem.

Tools Used

Manual review

Recommendations

Modify the recoverToken function to transfer tokens back to the templeGold contract address instead of an arbitrary "to" address.