Submission Details
Severity:
Overwriting of existing auctions in `SpiceAuctionFactory`
GitHub
Summary
The SpiceAuctionFactory contract allows overwriting of existing auctions in the deployedAuctions mapping without any checks to facilitate migrations.
Impact
Existing auction contracts could be accidentally or maliciously replaced, leading to loss of auction data.
Recommendation
Emit warnings when overwriting existing auctions to ensure transparency and mitigate the risk of accidental overwrites.
function createAuction(address spiceToken, string memory name) external override onlyElevatedAccess returns (address) {
if (spiceToken == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
if (spiceToken == templeGold) { revert CommonEventsAndErrors.InvalidParam(); }
SpiceAuction spiceAuction = new SpiceAuction(templeGold, spiceToken, daoExecutor, name);
bytes32 pairId = _getPairHash(spiceToken);
if (deployedAuctions[pairId] != address(0)) {
emit AuctionOverwriteWarning(pairId, deployedAuctions[pairId]); // Emit warning for overwrite
}
deployedAuctions[pairId] = address(spiceAuction);
emit AuctionCreated(pairId, address(spiceAuction));
return address(spiceAuction);
}
Events to Emit
event AuctionOverwriteWarning(bytes32 indexed pairId, address oldAuction);
This approach maintains the ability to overwrite auctions for migration purposes while providing a mechanism to track and log such actions to prevent accidental overwrites and improve transparency.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Overwriting of existing auctions in `SpiceAuctionFactory`
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825 USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.