TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

```removeAuctionConfig``` could be open to removing two different epoch configurations

0xrststn

Summary

In SpiceAuction::removeAuctionConfig, there is a possibility that the configuration removed is not the one for the current epoch but for the following one incurring in a possible error.

Vulnerability Details

When removeAuctionConfig is invoked, two scenarios are considered:

startAuction is triggered but the auction is in cooldown period.
startAuction is not triggered but auctionConfig is set although _currentEpochIdis not updated yet.
In the first scenario, the auction configuration for the current auction (while in cooldown) is removed.
In the second scenario, the configuration for the next epoch is removed before startAuction is called hence startAuction cannot be invoked until a new configuration is set.
There is, however, a third scenario which is not considered. This scenario is a combination of the other two scenarios:
startAuction is triggered but the auction is in cooldown period.
setAuctionConfig is invoked setting the configuration for the next epoch.
In this scenario, both configurations (current and next epoch) can be removed but if removeAuctionConfig is invoked, only the next epoch configuration will be removed. removeAuctionconfig will have to be invoked a second time in order to remove the current epoch configuration. This behaviour could mistakenly remove a configuration other than the intended one.

Proof of Concept

Add this test to SpiceAuction.t.sol

function test_removeSpiceAuctionConfig_for_both_current_and_next_epoch() public {

_startAuction(true, true);

vm.startPrank(daoExecutor);

ISpiceAuction.SpiceAuctionConfig memory config;

config = _getAuctionConfig();

// set the next epoch duration to 15 days

config.duration = 15 days;

spice.setAuctionConfig(config);

assertEq(spice.getAuctionConfig(2).duration, 15 days);

// by calling removeAuctionConfig, next epoch configuration is removed

spice.removeAuctionConfig();

assertEq(spice.getAuctionConfig(1).duration, 7 days);

assertEq(spice.getAuctionConfig(2).duration, 0);

// by calling removeAuctionConfig again, current epoch configuration is removed

spice.removeAuctionConfig();

assertEq(spice.getAuctionConfig(1).duration, 0);

assertEq(spice.getAuctionConfig(2).duration, 0);

}

Impact

Trying to remove current epoch auction (i.e. startAuction triggered) but inadvertently removing a different than intended auction configuration (i.e. next epoch configuration).

Tools Used

Foundry

Recommendations

In the scenario where both, current epoch and next epoch configurations can be removed, make sure there is no possible mistake by either removing both or let the user select which one to remove.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.