TempleGold

Summary

The startAuction function in the contract initiates an auction immediately if the startCooldown period is not explicitly set, causing auctions to start as soon as the function execution completes. This issue prevents the use of removeAuctionConfig and recoverToken functions, which rely on the auction not being active, effectively making it impossible to cancel an auction or reconfigure it once it starts.

The startcooldown could be set for some auction as Zero but due to missing implemenation is set it as ZERO for all the auctions by default which are created

Vulnerability Details

The vulnerability arises from the following issues:

1. Missing Start Cooldown Implementation: In the setAuctionConfig function, the startCooldown parameter is set to zero by default . The contract lacks an explicit implementation or enforcement of a non-zero startCooldown period. This causes auctions to start immediately upon calling startAuction.

   by which is creator want to set some threshold for startcoolDown he can't set it.

   If config.startCooldown is zero, the auction starts at the current block timestamp, leaving no time buffer for cancellation or reconfiguration.

2. EVEN the DAIAuctionhave the implemetation of cooldown rather than explicity ignoring them, direct to that contract for more info, where cooldown can't be zero if set to zero it will revert

3. https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L65

   // Auction start period implemenation

   uint128 startTime = info.startTime = uint128(block.timestamp) + config.startCooldown;

   ​

4. ** Immediate Auction Activation**: Because the auction starts immediately, there is no opportunity to call removeAuctionConfig or recoverToken, as both functions check whether the auction is active or not. Since the auction is always active immediately after starting, these functions are rendered unusable, then recoverTokenfunction will only be useful to recover tokens apart form spice token and TempleGold tokens

This check in both removeAuctionConfig and recoverToken functions will always fail if the auction starts immediately.

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L251

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L84

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L169

Impact

The impact of this vulnerability includes:

• Inability to Cancel Auctions: Once an auction starts, it cannot be canceled due to the immediate activation and the checks in place for active auctions. This limits the protocol's flexibility and responsiveness to changing conditions or errors.

• Operational Rigidity: The inability to reconfigure or cancel auctions can lead to significant operational rigidity. Misconfigured auctions must run their course, potentially causing issues for users and the protocol.

Tools Used

Manual Code Review

Recommendations

Enforce Minimum Start Cooldown: Ensure that a minimum non-zero startCooldown period is enforced in the setAuctionConfig function. This will provide a buffer period before the auction starts.

Implement Start Cooldown Logic: Ensure that the logic for the startCooldown period is correctly implemented and enforced in the startAuction function.