TempleGold

Summary

There is an inconsistency in setting and removing AuctionConfig in the SpiceAuction contract. Unlike in DaiGoldAuction, where the config cannot be changed after startAuction() is called, SpiceAuction allows config changes even after startAuction() has been initiated

Vulnerability Details

In the DaiGoldAuction contract, the auction config cannot be changed after startAuction() is called, ensuring that once an auction is started, its parameters remain fixed. This precaution is intended to maintain the integrity and predictability of the auction process.

However, in the SpiceAuction contract, it is possible to change the config for an auction even after startAuction() is called

Scenrio:

Assume we are in the coolDownStart period and want to increase coolDownStart. Since startAuction() has been called, no one should be able to change the coolDownStart(Also setAuctionConfig will update the config for next epoch not current one), but the following series of functions could change the coolDownStart for the corresponding epoch:

1. DAO deletes the config, as the config can be deleted before being active - removeAuctionConfig().

2. DAO sets the config with an increased coolDownStart() and calls startAuction() again

Even though this process involves DAO roles, it contradicts the precautionary measures seen in DaiGoldAuction and undermines the consistency of the protocol's behavior. The purpose of restricting config changes after startAuction() is to prevent any tampering or unexpected changes that could affect participants' expectations and the auction's integrity.

Impact

The auction config can be changed even after the auction has started

Tools Used

Manual

Recommendations

1. Modify DaiGoldAuction to allow DAO to change auction config as is possible in SpiceAuction.

OR

1. Prevent config changes in SpiceAuction after startAuction() has been called, aligning it with the DaiGoldAuction precautionary measures