TempleGold

Summary

The DaiGoldAuction contract is vulnerable to exploitation through DAI's flash minting feature in its bidding function. This vulnerability allows malicious users to temporarily inflate the totalBidTokenAmount misleading auction dynamics and potentially causing unfair outcomes

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L132

The bid function in the DaiGoldAuction contract accepts DAI tokens which can be flash minted within a single transaction. Flash minting allows for the creation of DAI tokens up to a limit set by Maker Governance, provided they are repaid with a fee by the end of the transaction. Exploiting this feature, attackers can artificially inflate the totalBidTokenAmount during the auction thereby manipulating bidding dynamics.

STEPS:
The attacker initiates a flash minting operation for DAI creating a large amount of DAI temporarily.

The attacker uses the flash minted DAI to place a bid in the auction.

The bid function is called and the flash minted DAI is transferred to the treasury with the contract updating the totalBidTokenAmount and the attacker's deposit record.

At the end of the transaction, the flash minted DAI is returned leaving no lasting impact on the attacker's balance.
However, the auction contract has already recorded the inflated totalBidTokenAmount.

Impact

The Manipulation can:
Skew the perceived demand in the auction.
Cause other bidders to overbid based on inflated numbers.
Lead to unfair distribution of auction tokens.

Tools Used

code review

Recommendations

To mitigate this vulnerability, implement additional checks to ensure that the bid tokens remain in the treasury and are not temporarily inflated using flash minting.