Attacker can DOS the protocol with race condition due to not initializing auctionConfig and auctionStarter on constructor
Summary
Attacker can DOS the protocol with race condition due to not initializing auctionConfig and auctionStarter on constructor
Context:
DaiGoldAuction.sol#L48-L58
DaiGoldAuction.sol#L69-L69
DaiGoldAuction.sol#L278
Vulnerability Details
An auction can be initiated using the startAuction(). However, there are requirements in place prevent anyone from starting an auction immediately such as an access check, wait period, minimum and cooldown start time e.t.c
Note all this relies on the auctionConfig and auctionStarter. Also note that certain operation and admin functions can only be called when no auction is currently on, take for example, in setAuctionConfig() to set the auctionConfig:
and in recoverToken() used to recover auction tokens:
The Issue here is that these crucial values (auctionConfig and auctionStarter) don't get set on the constructor. This allows for a race condition attack where attackers will trigger startAuction() immediately after DaiGoldAuction contract is deployed to the blockchain and keep initiating new auction epochs exactly after the previous on ends preventing certain operations from executing. Note auction initiated at this point will start immediately since the auctionConfig won't get set either.
Impact
Attackers will be able to keep initiating new auction epochs exactly after the previous one ends preventing certain operations from executing including recoverToken().
Tools Used
Manual Review
Recommendations
auctionConfig and auctionStarter should be initialized on the constructor
Lead Judging Commences
`startAuction` the second the DaiGoldAuction is deployed can be used to DOS the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.