TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Multiple auctions can lock funds of bidders

dustinhuel2

Summary

In SpiceAuction contract, due to create multiple auctions, funds of bidders can be permanently locked.

Vulnerability Details

Dao executor sets a SpiceAuctionConfig called 'config id 1' and starts first auction. When the first auction is pending with its startCooldown, Dao executor sets 'config id 1' again and starts second auction. There's no balance of auction token so the second auction's totalAuctionTokenAmount will be 0.

After second auction ends, the bidders who bid to second auction couldn't claim their rewards because totalAuctionTokenAmount is 0.

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L221

uint256 claimAmount = bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false);

Impact

Dao executor can create multiple auctions with same SpiceAuctionConfig in SpiceAuction contract. The next auction's totalAuctionTokenAmount can be 0, so the bidders in this auction couldn't claim their rewards.

Tools Used

Manual review

Recommendations

totalAuctionTokenAmount of new auction in startAuction() must not be 0.

function startAuction() external override {
...
uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);
...
if (epochAuctionTokenAmount < config.minimumDistributedAuctionToken) { revert NotEnoughAuctionTokens(); }
if (epochAuctionTokenAmount != 0) { revert NotEnoughAuctionTokens(); }
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.