Summary

The SpiceAuction contract implements a dynamic auction system for distributing tokens. Each auction is configured with specific parameters, including an ActivationMode and a minimumDistributedAuctionToken amount. The contract supports two tokens Spice and Temple Gold with either serving as the bid or auction token in any given epoch.

The startAuction function is responsible for initiating new auctions. It performs several checks to ensure the auction meets the configured criteria before activation. One key aspect is the verification of the available auction token balance against the minimumDistributedAuctionToken threshold.

Vulnerability Details

The contract defines an ActivationMode enum, which includes two modes:

1. AUCTION_TOKEN_BALANCE

2. USER_FIRST_BID

The intention appears to be that the AUCTION_TOKEN_BALANCE mode enforces a strict check on the minimum token balance, while other mode might have different activation criteria.

The current implementation of the startAuction function applies the minimumDistributedAuctionToken check universally, regardless of the configured ActivationMode. This creates two potential edge cases:

1. Auctions may fail to start when not in AUCTION_TOKEN_BALANCE mode due to insufficient token balance, even if this check is not intended for the selected mode.

2. Auctions with a very low or zero minimumDistributedAuctionToken value could start unintentionally when not in AUCTION_TOKEN_BALANCE mode, potentially with an undesirably small auction token amount.

Code Snippet:

Impact

1. Legitimate auctions might fail to start due to overly restrictive checks.

2. Auctions could potentially begin with very small token amounts, which may not be economically viable or intended.

Tools Used

Manual

Recommendations

Modify the startAuction function to only perform the token balance check when in AUCTION_TOKEN_BALANCE mode:

This change ensures that the minimum token balance is only enforced when explicitly required by the activation mode.