`SpiceAuction` can have wrong epochAuctionTokenAmount
Summary
SpiceAuction can have the wrong epochAuctionTokenAmount if the auction started after the previous one's config was removed
Vulnerability Details
Imagine, the first auction started, the contract balance is 100 tokens, so after the creation of the auction it has 100 epochAuctionTokenAmount, and thus _totalAuctionTokenAllocation[auctionToken] is also 100. So it now in a cooldown period. Imagine now the executor wanna remove config and call removeAuctionConfig. It removed the epoch, but does not decrease _totalAuctionTokenAllocation[auctionToken] amount.
Now imagine we start a new auction. A contract balance is still 100, _totalAuctionTokenAllocation[auctionToken] is also 100, so the new auction epochAuctionTokenAmount is counted to zero:
We cannot call recoverToken before removing a config because of the revert on the cooldown check. Docs says we need use removeAuctionConfig instead:
We cannot call it after removing the config because maxRecoverAmount will be counted as zero here
It seems we cannot use recoverAuctionTokenForZeroBidAuction as well here due to check and wrong epoch id
Impact
Can break auction token amount to use
Tools Used
Manual review
Recommendations
Decrease _totalAuctionTokenAllocation[auctionToken] after removing a config for a auction
Lead Judging Commences
missing totalAuctionTokenAllocation deduction in removeAuctionConfig leads to stuck funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.