TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

It is possible for executor to recover tokens from a zero bid more than once breaking the core trust of the contract.

turvec

Summary

It is possible for executor to recover tokens from a zero bid more than once breaking the core trust of the contract.

Context:
SpiceAuction.sol#L287

Vulnerability Details

The recoverAuctionTokenForZeroBidAuction() function in the SpiceAuction.sol contract allows the DAOExecutor to recover auction tokens for epoch with zero bids, however, due to a missing code in the current function implementation, It is possible for the executor to perform this on even just a single zero bid epoch more than once and end up draining the totalAuctionTokenAllocation even after many users have bid, this possibility breaks the entire trust to the smart contract:

depositors can claim their share of the TGOLD rewards after auction and also retroactively

Now let's have a look at the recoverAuctionTokenForZeroBidAuction():

function recoverAuctionTokenForZeroBidAuction(uint256 epochId, address to) external override onlyDAOExecutor {

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

// has to be valid epoch

if (epochId > _currentEpochId) { revert InvalidEpoch(); }

// epoch has to be ended

EpochInfo storage epochInfo = epochs[epochId];

if (!epochInfo.hasEnded()) { revert AuctionActive(); }

// bid token amount for epoch has to be 0

if (epochInfo.totalBidTokenAmount > 0) { revert InvalidOperation(); }

SpiceAuctionConfig storage config = auctionConfigs[epochId];

(, address auctionToken) = _getBidAndAuctionTokens(config);

@> uint256 amount = epochInfo.totalAuctionTokenAmount;

@> _totalAuctionTokenAllocation[auctionToken] -= amount;

emit CommonEventsAndErrors.TokenRecovered(to, auctionToken, amount);

IERC20(auctionToken).safeTransfer(to, amount);

}

Notice after getting and transferring the totalAuctionTokenAmount of that zero bid epoch to the recipient address, it doesn't update the now recovered value to zero.

epochInfo.totalAuctionTokenAmount = 0

With this missing, It is possible for the executor to recover tokens from a zero bid more than just once, which will affect all bidders.

Impact

It is possible for the executor to recover tokens from a zero bid more than once and end up draining the totalAuctionTokenAllocation even after many users have bid, affecting the entire bidders. Also, this possibility alone breaks the entire trust of the smart contract and protocol users.

Tools Used

Manual Review

Recommendations

The epochInfo.totalAuctionTokenAmount should be updated to zero after getting the value:

+ epochInfo.totalAuctionTokenAmount = 0

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.