TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unrestricted Auction Start Allows Contract Lockup in `DAIAuction` Contract lead to stop creation of legit auction for 1 week after deployment

recursiveeth

Summary

The startAuction function in your Solidity contract can be called by any user, allowing them to initiate an auction immediately after deployment without proper configuration. This can lead to unintended consequences, such as the contract being stuck for a week due to the specified AUCTION_DURATION

Vulnerability Details

The vulnerability lies in the following aspects of the startAuction function:

  1. Unrestricted Access: The function allows any user (msg.sender) to call startAuction, bypassing any intended access controls beyond checking if auctionStarter is not address(0) and msg.sender is not auctionStarter.

  2. Immediate Auction Start: If called immediately after deployment or in certain conditions, the function sets up an auction (EpochInfo) with an AUCTION_DURATION that could potentially lock the contract from creating new auctions for a week (AUCTION_DURATION). == 1 WEEK

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L103C4-L126C6

function startAuction() external override {
if (auctionStarter != address(0) && msg.sender != auctionStarter) { revert CommonEventsAndErrors.InvalidAccess(); }
EpochInfo storage prevAuctionInfo = epochs[_currentEpochId];
if (!prevAuctionInfo.hasEnded()) { revert CannotStartAuction(); }
AuctionConfig storage config = auctionConfig;
/// @notice last auction end time plus wait period
if (_currentEpochId > 0 && (prevAuctionInfo.endTime + config.auctionsTimeDiff > block.timestamp)) {
revert CannotStartAuction();
}
_distributeGold();
uint256 totalGoldAmount = nextAuctionGoldAmount;
nextAuctionGoldAmount = 0;
uint256 epochId = _currentEpochId = _currentEpochId + 1;
if (totalGoldAmount < config.auctionMinimumDistributedGold) { revert LowGoldDistributed(totalGoldAmount); }
EpochInfo storage info = epochs[epochId];
info.totalAuctionTokenAmount = totalGoldAmount;
uint128 startTime = info.startTime = uint128(block.timestamp) + config.auctionStartCooldown;
uint128 endTime = info.endTime = startTime + AUCTION_DURATION;
emit AuctionStarted(epochId, msg.sender, startTime, endTime, totalGoldAmount);
}

Impact

he impact of this vulnerability can be significant:

  • Contract Lockup: Initiating an auction immediately after deployment with a long AUCTION_DURATION could lock the contract from starting new auctions for a considerable period, potentially a week in this case.

  • Operational Disruption: The inability to start new auctions as intended can disrupt the contract's operations, affecting its ability to distribute tokens or execute other essential functions tied to the auction mechanism.

Tools Used

Manual review

Recommendations

Access Control Review: Review and enhance access controls within the startAuction function. Ensure that only authorized entities or conditions can initiate an auction, such as requiring specific initialization steps or permissions, atleast for the first time

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

`startAuction` the second the DaiGoldAuction is deployed can be used to DOS the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.