TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

## [L-2] SpiceAuctionFactory::createAuction Lacks Validation for the Name Parameter

0xcontrol

Description:

The createAuction() function in the SpiceAuction contract facilitates the creation of new auction instances. However, the function does not validate the name parameter. The name parameter is intended to be a meaningful identifier for the auction, and without proper validation, it could lead to potential issues such as empty names, excessively long names, or names containing invalid characters.

Impact:

The absence of validation for the name parameter has several potential impacts such as creating an auction with an empty name etc

Proof of Concept:

Below is the createAuction() function as it currently stands, without any validation for the name parameter:

function createAuction(address spiceToken, string memory name) external override onlyElevatedAccess returns (address) {
if (spiceToken == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
if (spiceToken == templeGold) { revert CommonEventsAndErrors.InvalidParam(); }
SpiceAuction spiceAuction = new SpiceAuction(templeGold, spiceToken, daoExecutor, name);
bytes32 pairId = _getPairHash(spiceToken);
/// @dev not checking pair address exists to allow overwrite in case of a migration
deployedAuctions[pairId] = address(spiceAuction);
emit AuctionCreated(pairId, address(spiceAuction));
return address(spiceAuction);
}

Recommended Mitigation:

To address this issue, it is recommended to implement validation checks on the name parameter within the createAuction() function.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.