TempleGold

Summary

the ratio or the value of bid token to reward can change right before the user's bid is executed which make him bid for what he did not expected.

Vulnerability Details

During an auction, the amount of auction tokens is fixed.
So, the user has to calculate how much the auction token is worth relative to the bid token himself.

Suppose a user has calculated a willing to bid currently and submits a transaction, but since there are also other users, incase other bids gets executed first which reduce the rewards,
uint256 claimAmount = bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false);

Now since totalBidTokenAmount has increased, the user will not be bidding for what he expected.

Example:

• there are 1000 TGLD as rewards

• 900 DAI has been bid by other users

• bob values TGLD token to be 1:1 with DAI, and since currently the auction values DAI more

• bob bid 100 DAI, there are also other users(Alice) who values DAI:TGLD 1:1, and happens to bid the same time as bob.

• both Bob and Alice value TGLD to be worth 1:1 with DAI but since there is no slippage protection, both their transactions are executed and they both get less that what they expected.

Impact

medium because a user bid for less than what he expected or overpay and once bid he cannot withdraw.
This affects both spiceAuction and goold auction.
Also applies to staking but the user can withdraw it so there is no risk.

Note that it is a design choice that the reward is not fixed and users who have bid in the past can get lesser rewards it there are future bids, but this issue identifies where a user who has not entered yet bids for a different value than he expected. Where if there was a protection he could have opted out instead of continuing with the bid.

Tools Used

manual

Recommendations

implement a slippage protection mechanism for auction bids.