TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: low
Invalid

Loss of bidToken when auction starts without minimum tokens to be distributed

Summary

Auction can be started by anyone if no starter is set, this allows auctions to start regardless, However the auction can be started with no auctionToken

Vulnerability Details

function startAuction() external override {
uint256 epochId = _currentEpochId;
/// @dev config is always set for next auction
/// @notice Configuration is set before auctions so configId = currentEpochId + 1;
SpiceAuctionConfig storage config = auctionConfigs[epochId+1];
if (config.duration == 0) { revert CannotStartAuction(); }
/// @notice only starter
if (config.starter != address(0) && msg.sender != config.starter) { revert CommonEventsAndErrors.InvalidAccess(); }
/// @notice enough wait period since last auction
if (epochId > 0) {
/// @dev `_currentEpochId` is still last epoch
EpochInfo memory lastEpochInfo = epochs[epochId];
/// use waitperiod from last auction config
uint64 _waitPeriod = auctionConfigs[epochId].waitPeriod;
if (lastEpochInfo.endTime + _waitPeriod > block.timestamp) { revert CannotStartAuction(); }
} else {
/// For first auction
if (_deployTimestamp + config.waitPeriod > block.timestamp) { revert CannotStartAuction(); }
}
(,address auctionToken) = _getBidAndAuctionTokens(config);
uint256 totalAuctionTokenAllocation = _totalAuctionTokenAllocation[auctionToken];
uint256 balance = IERC20(auctionToken).balanceOf(address(this));
uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);
if (config.activationMode == ActivationMode.AUCTION_TOKEN_BALANCE) {
if (config.minimumDistributedAuctionToken == 0) { revert MissingAuctionTokenConfig(); }
}
if (epochAuctionTokenAmount < config.minimumDistributedAuctionToken) { revert NotEnoughAuctionTokens(); }
// epoch start settings
// now update currentEpochId
epochId = _currentEpochId = _currentEpochId + 1;
EpochInfo storage info = epochs[epochId];
uint128 startTime = info.startTime = uint128(block.timestamp) + config.startCooldown;
uint128 endTime = info.endTime = startTime + config.duration;
info.totalAuctionTokenAmount = epochAuctionTokenAmount;
// Keep track of total allocation auction tokens per epoch
_totalAuctionTokenAllocation[auctionToken] = totalAuctionTokenAllocation + epochAuctionTokenAmount;
emit AuctionStarted(epochId, msg.sender, startTime, endTime, epochAuctionTokenAmount);
}

`Config.activationMode` can be set other states, this will bypass the minimumDistributionAuctionToken check and proceed with the starting the auction.

The last if statement will pass even if epochAuctionTokenAmountis zero

if (config.activationMode == ActivationMode.AUCTION_TOKEN_BALANCE) {
if (config.minimumDistributedAuctionToken == 0) { revert MissingAuctionTokenConfig(); }
}
if (epochAuctionTokenAmount < config.minimumDistributedAuctionToken) { revert NotEnoughAuctionTokens(); }

Impact

This will lead to loss of bidTokens users that bid wont have anything to claim

Tools Used

Manual Review

Recommendations

Always check if minimumDistributionToken is zero

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Minimum auction tokens check is incorrectly enforced in SpiceAuction in case of USER_FIRST_BID start type

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.