TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Insufficient Auction State Check in `onlyWhenLive` Modifier

kevinkkien

Summary

The onlyWhenLive modifier in the DaiGoldAuction contract checks if the current epoch is active but does not verify if the auction has ended. This could allow users to deposit bids even after the auction's end time, potentially leading to inconsistencies and unfairness in the auction process.

Vulnerability Details

The onlyWhenLive modifier, used in the bid function, ensures that bids can only be placed during an active auction epoch. However, it only checks if the epoch is active (info.isActive()) and does not consider the auction's end time (info.endTime). This means that even after the auction has concluded, users might still be able to deposit bids if the epoch itself hasn't been explicitly marked as ended.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L308-L311

modifier onlyWhenLive() {
if (!epochs[_currentEpochId].isActive()) { revert CannotDeposit(); }
_;
}

Impact

Users could continue depositing bids even after the auction has officially ended. This could lead to incorrect calculations of the final bid amounts and the distribution of TGOLD rewards.

Tools Used

Manual Review

Recommendations

Enhance the onlyWhenLive modifier to include a check for the auction's end time:

modifier onlyWhenLive() {
EpochInfo storage info = epochs[_currentEpochId];
if (!info.isActive() || block.timestamp >= info.endTime) {
revert CannotDeposit();
}
_;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.