TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

DaiGoldAuction::startAuction() and auction reward logic breaks after TempleGold vesting is completed

krisrenzo

Summary

The contract stops working once TempleGold finish vesting.

Vulnerability Details

One of the requirements to start an auction is the availability of sufficient templeGold reward in the system, which is represented here as:

if (totalGoldAmount < config.auctionMinimumDistributedGold) { revert LowGoldDistributed(totalGoldAmount); }

Note that the function isn't checking the actual contract balance but a variable (nextAuctionGoldAmount) that tracks the reward availability. Also, this variable is only updated with added reward when DaiGoldAuction::notifyDistribution is called.

function notifyDistribution(uint256 amount) external override {

if (msg.sender != address(templeGold)) { revert CommonEventsAndErrors.InvalidAccess(); }

/// @notice Temple Gold contract mints TGLD amount to contract before calling `notifyDistribution`

nextAuctionGoldAmount += amount;

emit GoldDistributionNotified(amount, block.timestamp);

}

The problem is this function can only be called by TempleGold contract when distributing tokens to its recepients. And TempleGold can only distribute tokens as long as it is still vesting i.e. it's circulating supply is still growing. This means in the future when the TempleGold vesting is over, DaiGoldAuction::startAuction() will consistently revert as the requirement mentioned above will continously fail.
The admin could decide to set the config.auctionMinimumDistributedGold to zero to allow the check pass, but they will be exposing their users to other risks like griefing and extortion. info.totalAuctionTokenAmount being set to zero means, they collect bids from their users (which is non-refundable) and give them nothing in return. Either ways this spells the end for the contract, as it illogical to expect users to participate in the auction when they stand to gain nothing.

Another problem that arises is with the reward calculation logic which utilizes the nextAuctionGoldAmount variable to set the info.totalAuctionTokenAmount value for an epoch, which is used to calculate users reward share.

uint256 claimAmount = bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false);

Note that the purpose of this contract is to help the team raise funds for their operation (as mentioned by the sponsors in the set off call) and this is something that is expected to continue into the past, passed the TGLD vesting duration. Should the protocol chose to redirect some of the 10% TGLD for the team and incentives to the contract, they won't be able to auction it.

Impact

Even if the protocol has some templeGold and would like to run some auctions, they can't, as there not way for the contract to add it to its reward balance accounting. This literally sets a deadline for the protocol.

Tools Used

Manual

Recommendations

Create an alternative way to update the contract of added rewards when an auction is to be held.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.