TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

## [L-2] SpiceAuctionFactory::createAuction Lacks Validation for the Name Parameter

0xcontrol

Description:

The createAuction() function in the SpiceAuction contract facilitates the creation of new auction instances. However, the function does not validate the name parameter. The name parameter is intended to be a meaningful identifier for the auction, and without proper validation, it could lead to potential issues such as empty names, excessively long names, or names containing invalid characters.

Impact:

The absence of validation for the name parameter has several potential impacts such as creating an auction with an empty name etc

Proof of Concept:

Below is the createAuction() function as it currently stands, without any validation for the name parameter:

function createAuction(address spiceToken, string memory name) external override onlyElevatedAccess returns (address) {
if (spiceToken == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
if (spiceToken == templeGold) { revert CommonEventsAndErrors.InvalidParam(); }
SpiceAuction spiceAuction = new SpiceAuction(templeGold, spiceToken, daoExecutor, name);
bytes32 pairId = _getPairHash(spiceToken);
/// @dev not checking pair address exists to allow overwrite in case of a migration
deployedAuctions[pairId] = address(spiceAuction);
emit AuctionCreated(pairId, address(spiceAuction));
return address(spiceAuction);
}

Recommended Mitigation:

To address this issue, it is recommended to implement validation checks on the name parameter within the createAuction() function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.