TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Recover Token Active Auction

1337web3

Summary

The SpiceAuction::recoverToken function in the smart contract lacks a check to ensure that the current auction is not active before allowing token recovery. This oversight could lead to unauthorized token recovery during an active auction.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L234

The recoverToken function is designed to allow DAO executor access to recover tokens. However, it does not verify whether the current auction is active. This missing check could potentially be exploited to recover tokens during an active auction, leading to unintended disruptions and possible financial losses.

Code Snippet

/**

* @notice Recover auction tokens for last but not started auction

* @param token Token to recover

* @param to Recipient

* @param amount Amount to auction tokens

function recoverToken(

address token,

address to,

uint256 amount

) external override onlyDAOExecutor {

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (token != spiceToken && token != templeGold) {

emit CommonEventsAndErrors.TokenRecovered(to, token, amount);

IERC20(token).safeTransfer(to, amount);

return;

}

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

/// @dev use `removeAuctionConfig` for case where `auctionStart` is called and cooldown is still pending

if (info.startTime == 0) { revert InvalidConfigOperation(); }

if (!info.hasEnded() && auctionConfigs[epochId+1].duration == 0) { revert RemoveAuctionConfig(); }

/// @dev Now `auctionStart` is not triggered but `auctionConfig` is set (where _currentEpochId is not updated yet)

// check to not take away intended tokens for claims

// calculate auction token amount

uint256 totalAuctionTokenAllocation = _totalAuctionTokenAllocation[token];

uint256 balance = IERC20(token).balanceOf(address(this));

uint256 maxRecoverAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[token]);

if (amount > maxRecoverAmount) { revert CommonEventsAndErrors.InvalidParam(); }

IERC20(token).safeTransfer(to, amount);

emit CommonEventsAndErrors.TokenRecovered(to, token, amount);

}

Impact

The absence of an active auction check in the recoverToken function can result in unauthorized recovery of tokens during an active auction. This can disrupt the auction process, causing financial harm to participants and undermining the integrity of the auction mechanism.

Tools Used

Manual Review

Recommendations

Add a check within the recoverToken function to verify that the current auction is not active before allowing token recovery. This can be achieved by implementing a condition that checks the auction status and reverts the transaction if the auction is active.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.