TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Insufficient Parameter Validation

0xdevin

Summary

Functions such as setBidToken and recoverToken lack proper validation, allowing potential misuse. Without adequate validation, these functions can be exploited to set invalid addresses or manipulate the contract's state in unintended ways.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L90C5-L128C1

function setBidToken(address _bidToken) external override onlyElevatedAccess {
if (_bidToken == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
if (!epochs[_currentEpochId].hasEnded()) { revert InvalidOperation(); }
bidToken = IERC20(_bidToken);
emit BidTokenSet(_bidToken);
}
function recoverToken(address token, address to, uint256 amount) external override onlyElevatedAccess {
if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (token != address(templeGold)) {
emit CommonEventsAndErrors.TokenRecovered(to, token, amount);
IERC20(token).safeTransfer(to, amount);
return;
}
uint256 epochId = _currentEpochId;
EpochInfo storage info = epochs[epochId];
if (info.startTime == 0) { revert InvalidOperation(); }
if (info.isActive()) { revert AuctionActive(); }
if (info.hasEnded()) { revert AuctionEnded(); }
uint256 _totalAuctionTokenAmount = info.totalAuctionTokenAmount;
if (amount > _totalAuctionTokenAmount) { revert CommonEventsAndErrors.InvalidAmount(token, amount); }
delete epochs[epochId];
unchecked {
nextAuctionGoldAmount += _totalAuctionTokenAmount - amount;
}
emit CommonEventsAndErrors.TokenRecovered(to, token, amount);
templeGold.safeTransfer(to, amount);
}

Impact

Examples and Cases of Failure

  1. Invalid Address for Bid Token:

    • Case: An attacker sets the bid token address to address(0).

    • Impact:

      • Contract Malfunction: All functions that interact with bidToken will fail, as address(0) does not support ERC20 operations. This renders the contract unusable for its intended purpose.

      • Potential Funds Lock: If address(0) is set as bidToken, any tokens bid to the contract may be locked and irretrievable, causing significant financial loss for users.

      setBidToken(address(0)); // Should revert, but if it doesn't, it sets an invalid token address

  • Zero Address for Recovery:

  • Case: An attacker attempts to recover tokens to address(0).

  • Impact:

    • Loss of Funds: Tokens sent to address(0) are lost permanently. This results in immediate and irreversible financial loss.

      recoverToken(someTokenAddress, address(0), 1000); // Should revert to prevent burning tokens

Tools Used

vs code

Recommendations

Add validation checks to ensure parameters are valid before proceeding with state changes.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.