In `SpiceAuction`, the activation of auction happens as `AUCTION_TOKEN_BALANCE` even if `USER_FIRST_BID` is selected
Relevant Github Links
Summary
There are two activation mode in
SpiceAuctionfor deciding the activation for an auction which are -AUCTION_TOKEN_BALANCEandUSER_FIRST_BID.The
USER_FIRST_BIDinvolves enabling auction when user bids for other volatile token, but still thestartAuctionfunction follows theAUCTION_TOKEN_BALANCEin which auction is enabled and awaiting start after cooldown is over.
Vulnerability Details
The vulnerability is present in the
startAuctionfunction where for the config corresponding to the auction to be started, it performs activation byAUCTION_TOKEN_BALANCEeven if in the configUSER_FIRST_BIDis set.No matter what activation mode it performs the same set of operations, i.e., Auction is enabled and is awaiting start if there is enough auction token, otherwise it revert.
Thus, even for
USER_FIRST_BIDas activation mode it performs the same set of operations that are performed inAUCTION_TOKEN_BALANCE.
Impact
Auction is activated according to AUCTION_TOKEN_BALANCE activation mode even if activation mode is set as USER_FIRST_BID.
Tools Used
Manual Review
Recommendations
Consider updating startAuction function and consider USER_FIRST_BID activation mode, for which auction is enabled when user bids for other volatile token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.