TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Spice auctions can be griefed with 1 wei bids

SBSecurity

Summary

recoverAuctionTokenForZeroBidAuction was added after the audit in order to claim the designated tokens in case the auction ended with no bids, but everyone can bid with 1 wei and prevent Dao from claiming these tokens back.

Vulnerability Details

In the beginning, when there is not that big activity in the protocol there will be more auctions without bids, either they are not appealing enough for users or even there is a technical issue such as L2 sequencers failing to deliver. This opens the possibility for anyone to bid with up to 1 wei of auction token and this will be enough to increase the totalBidTokenAmount and prevent calling the recoverAuctionTokenForZeroBidAuction since there is a check for non-zero bid amount:

function recoverAuctionTokenForZeroBidAuction(uint256 epochId, address to) external override onlyDAOExecutor {

...MORE CODE

if (epochInfo.totalBidTokenAmount > 0) { revert InvalidOperation(); }

}

This will result in locked tokens in the SpiceAuction contract without a way to be utilised in another auction, since they are already accounted in the totalAuctionTokenAllocation :

function startAuction() external override {

...MORE CODE

uint256 totalAuctionTokenAllocation = _totalAuctionTokenAllocation[auctionToken];

uint256 balance = IERC20(auctionToken).balanceOf(address(this));

uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);//NOTE isn't the claimedAuctionTokens be able to be increased even only after auction has ended

if (config.activationMode == ActivationMode.AUCTION_TOKEN_BALANCE) {

if (config.minimumDistributedAuctionToken == 0) { revert MissingAuctionTokenConfig(); }

}

...MORE CODE

info.totalAuctionTokenAmount = epochAuctionTokenAmount;

// Keep track of total allocation auction tokens per epoch

_totalAuctionTokenAllocation[auctionToken] = totalAuctionTokenAllocation + epochAuctionTokenAmount;

emit AuctionStarted(epochId, msg.sender, startTime, endTime, epochAuctionTokenAmount);

}

Impact

Loss of auction tokens when someone manages to be the single bid with 1 wei.

Tools Used

Manual Review

Recommendations

Extend the setAuctionConfig to be able to provide minBidAmount, that way you will be able to perform some estimation on what will be the minimum bid step which will not leave the protocol with locked tokens per auction.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.