TempleGold

Summary

With rebase tokens like stETH, many protocol functionalities will break, which includes bidding and claiming rewards.

Vulnerability Details

StETH is a popular rebasing token in the DeFi space and is integrated in several popular protocols. However, stETH has a 1-2 wei rounding error since it deals with shares internally. The Lido docs highlight this issue. This will cause the SpiceAuction::bid() function to fail as it disallows fee-on-transfer tokens, as can be seen below,

If rebasing tokens like stETH undergo slashing/negative rebase, some bidders of the spice auction will not be able to claim their rewards. Say, 100 rebasing tokens were reserved for a spice auction. If Alice made a bid with 50 tgld and Bob made another bid with 50 tgld, both should be eligible to claim 50 rebasing tokens each. However, if a negative rebase occurs and now there are only 90 tokens left over in the spice auction contract, either Alice or Bob (whoever comes second) will need to face a loss.

While bidding in Dai Gold auctions, the DaiGoldAuction::bid() function doesn't apply a fee-on-transfer token check to see if the protocol received the correct amount of tokens. If stETH is used, there may be 1-2 wei rounding error with each deposit. This will essentially lead to a case where the last couple of bidders won't be able to claim their part of the tokens because of the issue that was highlighted in the paragraph above.

Impact

If rebase tokens like stETH are used, spice auctions will not be able to receive any bids (if stETH is the bid token), and dai gold auctions will register an incorrect amount of tokens deposited into the protocol by a bidder. Because of negative rebasing, it is possible that some bidders might not be able to claim until the rebase token balance increases to the right amount.

Tools Used

Manual review.

Recommended Mitigation

Since rebasing tokens will break the protocol, especially stETH with the 1-2 wei corner case, avoid using rebasing tokens for both spice and dai gold auctions.