TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential DoS in `SpiceAuction::bid` can deny bidders from placing bids

Joseph

Summary

Potential DoS in SpiceAuction::bid can deny bidders from placing bids

Vulnerability Details

Since recipient address for any Spice token bid can be found by calling SpiceAuction::getAuctionConfig function, malicious users can also send bidToken to the recipient address without going through the SpiceAuction::bid function.

As a result of the strict statement in SpiceAuction::bid found here
https://github.com/TempleDAO/temple/blob/c94bffdddb57990a71b41eeadbe78a1d49375b4c/protocol/contracts/templegold/SpiceAuction.sol#L197-L199

function bid(uint256 amount) external virtual override {

/// @dev Cache, gas savings

uint256 epochId = _currentEpochId;

EpochInfo storage info = epochs[epochId];

if(!info.isActive()) { revert CannotDeposit(); }

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

SpiceAuctionConfig storage config = auctionConfigs[epochId];

(address bidToken,) = _getBidAndAuctionTokens(config);

address _recipient = config.recipient;

uint256 _bidTokenAmountBefore = IERC20(bidToken).balanceOf(_recipient);

IERC20(bidToken).safeTransferFrom(msg.sender, _recipient, amount);

uint256 _bidTokenAmountAfter = IERC20(bidToken).balanceOf(_recipient);

// fee on transfer tokens

@> if (amount != _bidTokenAmountAfter - _bidTokenAmountBefore) { revert CommonEventsAndErrors.InvalidParam(); }

depositors[msg.sender][epochId] += amount;

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochId, amount);

}

Impact

Bidders can be denied the opportunity to bid if malicious entities randomly and frequently send any amounts of bid tokens directly to the recipient address without calling SpiceAuction::bid in between bidders calling SpiceAuction::bid.

Tools Used

Manual Review

Recommendations

Perhaps use depositors mapping for accounting purposes and exclude the token amount checks. So each bidder can see their total bid amounts, while you don't have to check for fee-on-transfer tokens, like in DaiGoldAuction::bid.

Also consider that in DaiGoldAuction, though DAI is believed to be the primary bid token, however, any bid token can be set by DaiGoldAuction::setBidToken.Yet the DaiGoldAuction::bid does not check for fee-on-transfer tokens.

function bid(uint256 amount) external virtual override onlyWhenLive {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

bidToken.safeTransferFrom(msg.sender, treasury, amount);

uint256 epochIdCache = _currentEpochId;

depositors[msg.sender][epochIdCache] += amount;

EpochInfo storage info = epochs[epochIdCache];

info.totalBidTokenAmount += amount;

emit Deposit(msg.sender, epochIdCache, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.