TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

recoverToken Function in DaiGoldAuction Does Not Decrement _currentEpochId, Leading to Auction State Inconsistencies

0xCiphky

Vulnerability Details:

The recoverToken function in the DaiGoldAuction contract can be called to recover auction tokens from the current auction as long as it has not started yet. When the token being recovered is Temple Gold, the function also deletes the current auction by deleting epochs[epochId] and moving the leftover auction amount to nextAuctionGoldAmount to be used for the next auction. The problem is that the _currentEpochId state variable, which is incremented when an auction is enabled, is not decremented when the current auction is deleted.

function recoverToken(

address token,

address to,

uint256 amount

) external override onlyElevatedAccess {

...

// auction started but cooldown pending

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

...

uint256 _totalAuctionTokenAmount = info.totalAuctionTokenAmount;

if (amount > _totalAuctionTokenAmount) { revert CommonEventsAndErrors.InvalidAmount(token, amount); }

/// @dev Epoch data is deleted and leftover amount is addedd to nextAuctionGoldAmount.

/// so admin should recover total auction amount for epoch if that's the requirement

delete epochs[epochId];

/// @dev `nextAuctionGoldAmount` is set to 0 in `startAuction`.

/// `nextAuctionGoldAmount > 0` if there was a distribution after `auctionStart` called

/// epoch is deleted. so if amount < totalAuctionTokenAmount for epoch, add leftover to next auction amount

unchecked {

nextAuctionGoldAmount += _totalAuctionTokenAmount - amount;

}

...

templeGold.safeTransfer(to, amount);

}

Impact:

The _currentEpochId is not decremented when an auction is deleted, leading to inconsistencies in the auction state.

Tools Used:

Manual analysis

Recommendation:

To resolve this issue, ensure that the _currentEpochId is decremented when the current auction is deleted in the recoverToken function.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.