TempleGold

Summary

The recoverAuctionTokenForZeroBidAuction() function, if called multiple times for the same epoch(Although the executor is trusted), can mistakenly reduce the _totalAuctionTokenAllocation and cause a denial of service (DoS). It is possible because the code allows to call recoverAuctionTokenForZeroBidAuction() multiple times for the same epoch. This reduces the total token allocation, leading to a state where _totalAuctionTokenAllocation becomes less than _claimedAuctionTokens, preventing new auctions from starting and causing DoS for users and DoS for starting the new Auction.

Vulnerability Details

Example Scenario:

a. Initial State:

• Auction1: 100 tokens

• Auction2: 30 tokens (0 bids)

• Auction3: 40 tokens

• _totalAuctionTokenAllocation: 170

• _claimedAuctionTokens: 0

b. Actions:

• Users claim 50 tokens from Auction1.

• _claimedAuctionTokens: 50

c. First Call to recoverAuctionTokenForZeroBidAuction() for Auction2:

• _totalAuctionTokenAllocation: 140 (170 - 30)

• _claimedAuctionTokens: 50

d. Continued Claims:

• Users claim remaining 50 tokens from Auction1.

• _claimedAuctionTokens: 100

e. Second Call to recoverAuctionTokenForZeroBidAuction() for Auction2:

• _totalAuctionTokenAllocation: 110 (140 - 30)

• _claimedAuctionTokens: 100

f. Users Claim from Auction3:

• Balance is 10 tokens, but next user wants to claim 20 tokens.

• Attacker frontruns the claim transaction and deposits 10 tokens directly to the contract.

• _totalAuctionTokenAllocation: 110

• _claimedAuctionTokens: 120

From above result we can clearly see that _totalAuctionTokenAllocation (110) < _claimedAuctionTokens (120).

In startAuction, epochAuctionTokenAmount calculation reverts
uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);

Hence Auctions cannot start, causing a DoS. Even after adding the tokens directly to the contract, it will not increase the value of totalAuctionTokenAllocation and hence permanent DoS. Also, if the contract balance in step f goes below the required amount(Less tokens will be present in the contract than expected), users will not be able to claim their tokens and hence DoS on claiming the tokens.

Impact

1. System Inconsistency: Users may face issues claiming auction tokens due to reduced token allocation.

2. Auction Failure: New auctions may fail to start due to incorrect allocation calculations.

3. DoS Attack: Attackers can cause a denial of service by putting some extra Auction tokens.

Tools Used

Manual Code Review

Recommendations

1. Update epochInfo.totalAuctionTokenAmount: Ensure this value is updated correctly after recoverAuctionTokenForZeroBidAuction() is called for an epoch.
2. Restrict Multiple Calls: Implement checks to prevent the function from being called multiple times for the same epoch.