TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Delayed Auction Start Due to Maximum Wait Period on Initial Deployment

recursiveeth

Summary

The startAuction function includes a wait period check for the first auction that references the contract deployment timestamp and a configurable wait period. If the wait period is set to its maximum value of 90 days, the contract is unable to initiate the first auction for 90 days after deployment, causing an unnecessary delay in the auction process.

Vulnerability Details

The vulnerability is caused by the following logic:

Initial Wait Period Check: For the first auction, the function includes a condition that checks if the current timestamp (block.timestamp) is greater than the sum of the deployment timestamp (_deployTimestamp) and the configured wait period (config.waitPeriod). This logic is intended to ensure a minimum wait period before the first auction can start.
Maximum Wait Period: The wait period can be set to a maximum of 90 days. If this maximum value is used in the configuration for the initial auction, the contract will be unable to start the auction until 90 days have passed since deployment, leading to a significant and unnecessary delay.

if (_deployTimestamp + config.waitPeriod > block.timestamp) {
revert CannotStartAuction();
}
https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L155

Impact

The impact of this vulnerability includes:

Operational Inefficiency: The contract cannot start any auctions for up to 90 days after deployment, causing delays in the intended auction process and preventing users from participating in auctions during this period.

Tools Used

Manual Review

Recommendations

To mitigate this issue, consider implementing this or change design for Start Auction :

Flexible Initial Wait Period: Adjust the logic for the initial auction to provide flexibility in the wait period. Instead of enforcing the maximum wait period, consider a default or minimum wait period for the first auction that allows the protocol to start its auction mechanism shortly after deployment.

//MITIGATIONS

if (_deployTimestamp + (config.waitPeriod > 1 days ? 1 days : config.waitPeriod) > block.timestamp) {

revert CannotStartAuction();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.