Relevant Github Links

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/interfaces/templegold/ISpiceAuction.sol#L36-L41

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L164-L170

Summary

• There are two activation mode in SpiceAuction for deciding the activation for an auction which are - AUCTION_TOKEN_BALANCE and USER_FIRST_BID.

• The USER_FIRST_BID involves enabling auction when user bids for other volatile token, but still the startAuction function follows the AUCTION_TOKEN_BALANCE in which auction is enabled and awaiting start after cooldown is over.

Vulnerability Details

• The vulnerability is present in the startAuction function where for the config corresponding to the auction to be started, it performs activation by AUCTION_TOKEN_BALANCE even if in the config USER_FIRST_BID is set.

• No matter what activation mode it performs the same set of operations, i.e., Auction is enabled and is awaiting start if there is enough auction token, otherwise it revert.

• Thus, even for USER_FIRST_BID as activation mode it performs the same set of operations that are performed in AUCTION_TOKEN_BALANCE.

Impact

Auction is activated according to AUCTION_TOKEN_BALANCE activation mode even if activation mode is set as USER_FIRST_BID.

Tools Used

Manual Review

Recommendations

Consider updating startAuction function and consider USER_FIRST_BID activation mode, for which auction is enabled when user bids for other volatile token.