TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

[M-01] Missing check for fee-on-transfer token in DaiGoldAuction:bid function

svetoslavb04

Summary

When a user bids DaiGoldAuction the auction uses a fee-on-transfer token, incorrect accounting is made and the user is accounted for with more tokens than he deposited. A check for the auctions's balance before and after is not done and the amount that comes from the input is directly added to the depositor's balance as well as to totalBidTokenAmount

function bid(uint256 amount) external virtual override onlyWhenLive {

if (amount == 0) revert CommonEventsAndErrors.ExpectedNonZero();

> bidToken.safeTransferFrom(msg.sender, treasury, amount);

uint256 epochIdCache = _currentEpochId;

depositors[msg.sender][epochIdCache] += amount;

EpochInfo storage info = epochs[epochIdCache];

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochIdCache, amount);

}

Vulnerability Details

Imagine the auction starts with a fee-on-transfer token and Alice bids 100 tokens.
The auction contract will receive 98 because of the fee, but it will account for 100 tokens.
At the end of the auction, Alice will receive more gold than she deserves

Impact

This leads to incorrect accounting and users will claim more TempleGold than they should

Tools Used

Manual review

Recommendations

If you want to allow fee-on-transfer tokens use the bellow update
Check the balance of the contract before and after the transfer of the tokens as done in the SpiceAuction.sol

function bid(uint256 amount) external virtual override onlyWhenLive {

if (amount == 0) revert CommonEventsAndErrors.ExpectedNonZero();

+ uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(treasury);

bidToken.safeTransferFrom(msg.sender, treasury, amount);

+ uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(treasury);

+ uint256 _actualAmount = _bidTokenAmountAfter - _bidTokenAmountBefore;

uint256 epochIdCache = _currentEpochId;

- depositors[msg.sender][epochIdCache] += amount;

+ depositors[msg.sender][epochIdCache] += _actualAmount;

EpochInfo storage info = epochs[epochIdCache];

- info.totalBidTokenAmount += amount;

+ info.totalBidTokenAmount += _actualAmount;

- emit Deposit(msg.sender, epochIdCache, amount);

+ emit Deposit(msg.sender, epochIdCache, _actualAmount);

}

If you don't want to allow fee-on-transfer tokens add the following check:

+ if (amount != _actualAmount) revert CommonEventsAndErrors.InvalidParam();

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.