TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

User can claim TempleGold from DaiGoldAuction by depositing in SpiceAuction.

0xsandy

Summary

User can claim TempleGold from DaiGoldAuction by depositing in SpiceAuction.

Vulnerability Details

Both SpiceAuctionand DaiGoldAuction use the same storage i.e AuctionBase. Whenever, startAuction() function is called in either SpiceAuction or DaiGoldAuction, EpochInfo is set for _currentEpochId and it is increased by 1.

The _currentEpochId is global, thus DaiGoldAuction can use one and SpiceAuction can use another incremented epochId.

DaiGoldAuction.sol
function startAuction() external override {
...
uint256 epochId = _currentEpochId = _currentEpochId + 1;
...
EpochInfo storage info = epochs[epochId];
info.totalAuctionTokenAmount = totalGoldAmount;
uint128 startTime = info.startTime = uint128(block.timestamp) + config.auctionStartCooldown;
uint128 endTime = info.endTime = startTime + AUCTION_DURATION;
emit AuctionStarted(epochId, msg.sender, startTime, endTime, totalGoldAmount);
}
SpiceAuction.sol
function startAuction() external override {
...
epochId = _currentEpochId = _currentEpochId + 1;
EpochInfo storage info = epochs[epochId];
uint128 startTime = info.startTime = uint128(block.timestamp) + config.startCooldown;
uint128 endTime = info.endTime = startTime + config.duration;
info.totalAuctionTokenAmount = epochAuctionTokenAmount;
...
}

Now, after users bid on the auction and the auction ends, users can now finally claim the reward token. In the claim() function of both DaiGoldAuction and SpiceAuction, you can just pass in epochId and if you have some amount deposited in that epochId, you can withdraw the rewardToken as the depositors[msg.sender][epochId mapping in the claim() function is global and comes from AuctionBase.

Impact

  1. User had previously deposited 1000e18 ENA into SpiceAuction and the auction for that deposited epoch is finished but user hasn't claimed TempleGoldyet.

  2. Now, User can just use claim() function in DaiGoldAuction for the deposited epoch of SpiceAuction.

  3. User will be able to claim TempleGold without depositing DAI for less price as current price of DAI is 1$ and ENA is 0.41.

Thus, for 410$, users will be able to claim TempleGold worth 1000$ if other units are same which causes loss of the funds from other users and for the protocol.

Note: The reward TempleGold amount depends on various other units like totalAuctionTokenAmount and totalBidTokenAmount. A malicious user can wait for perfect SpiceAuction with higher totalAuctionTokenAmount and less totalBidTokenAmount to execute this attack for max reward.

Tools Used

Manual Analysis

Relevant Github Links

  1. claim() SpiceAuction: https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/SpiceAuction.sol#L209

  2. claim() DaiGoldAuction: https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L150

Recommendations

Use different storage for SpiceAuction and DaiGoldAuction instead of using the same AuctionBase.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.