Submission Details
Severity:
`SpiceAuction.bid()` function could be DoSed
## Summary
`SpiceAuction.bid()` function could be DoSed if the auction bid token recipient (`auctionConfigs[epochId].recipient`) got blacklisted by the `$TGLD` bid token.
## Vulnerability Details
`SpiceAuction` contract enables using `$TGLD` token (TempleGold token) as a bid token as well as an auction token, and this token can't be transferred between users, only from/to a whitelisted addresses.
So if the bid token recipient for an auction got removed from the `$TGLD` token whitelist, then `SpiceAuction.bid()` function will revert as it will fail to transfer these bid tokens to the non-whitelisted address.
## Impact
This would result in disabling the bidding for the running auction as there's no mechanism to change the bid proceeds address (`config.recipient`).
## Code Snippet
```javascript
//@note : `SpiceAuction.bid()`
function bid(uint256 amount) external virtual override {
//................
SpiceAuctionConfig storage config = auctionConfigs[epochId];
(address bidToken, ) = _getBidAndAuctionTokens(config);
address _recipient = config.recipient;
//................
IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);
//................
}
```
## Tools Used
Manual Review.
## Recommendations
Add a mechanism to change the recipient of the bid proceeds of an auction in case they got blacklisted from the bid token.
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825 USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.