TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Insufficient Input Validation on Recipient Address

scoolj

Summary

The bid function does not adequately validate the _recipient address before performing a transfer of the bidToken. If the recipient address in the SpiceAuctionConfig is set to a zero address or any other invalid address, it could lead to failed transactions or loss of funds.

Impact

Failure to validate the _recipient address can result in:

Failed transactions due to invalid address checks in the ERC20 safeTransferFrom function.
Potential loss of funds if tokens are sent to a zero address or any unintended address.
Unexpected behaviour and potential security vulnerabilities if the recipient address is manipulated.

Tools Used

Manual Review

Recommendations

Add a validation check to ensure that the _recipient address is not a zero address or any other invalid address. Update the bid function as follows:

function bid(uint256 amount) external virtual override nonReentrant {

require(amount > 0, "Amount must be greater than zero");

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

require(info.isActive(), "Cannot deposit, auction is not active");

SpiceAuctionConfig storage config = auctionConfigs[epochId];

(address bidToken,) = _getBidAndAuctionTokens(config);

address _recipient = config.recipient;

// Validate recipient address

+ require(_recipient != address(0), "Invalid recipient address");

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);

IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);

uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);

require(amount == _bidTokenAmountAfter - _bidTokenAmountBefore, "Invalid transfer amount, possible fee on transfer");

depositors[msg.sender][epochId] += amount;

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochId, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.