TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

DOS of SpiceAuction and DaiGoldAuction functions

dinkras

Summary

An auction config can be changed if an auction is not active at that time. This is a rule for both DaiGoldAuction and SpiceAuction.

Vulnerability Details

In both DaiGoldAuction and SpiceAuctioncontract, there is a validation for when a config can be changed. There shouldn't be an Active auction at the time.

function setAuctionConfig(AuctionConfig calldata _config) external override onlyElevatedAccess {
if (_config.auctionStartCooldown == 0
|| _config.auctionMinimumDistributedGold == 0
|| _config.auctionsTimeDiff == 0)
{ revert CommonEventsAndErrors.ExpectedNonZero(); }
@> if (!epochs[_currentEpochId].hasEnded()) { revert InvalidOperation(); }//@audit-issue attacker can DOS and prevent this function to be called
auctionConfig = _config;
emit AuctionConfigSet(_currentEpochId, _config);
}
function setAuctionConfig(SpiceAuctionConfig calldata _config) external onlyDAOExecutor {
/// @dev epoch Id is only updated when auction starts.
/// @dev cannot set config for past or ongoing auction
uint256 currentEpochIdCache = _currentEpochId;
if (currentEpochIdCache > 0) {
EpochInfo storage info = epochs[currentEpochIdCache];
/// Cannot set config for ongoing auction
@> if (info.isActive()) { revert InvalidConfigOperation(); }
}

Consider this scenario:

1) in case anyone can call startAuction() in both DaiGoldAuction and SpiceAuction

2) The current auction has ended, so it's the perfect time for the admin to change some config of those auctions

3)An admin triggers a tx. For example: DaiGoldAuction.setAuctionConfig() or SpiceAuction.setAuctionConfig()

4) An attacker monitors the mempool and frontruns the admin tx. The attacker calls startAuction()-> the current auction changes its state from Ended to Active

5) The admin txs revert because the current auction is Active now.

6) The admin has to wait until the current auction ends, to change the config. However, the next time the attacker can do the same thing and prevent the config from being updated again.

Code snippets:

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L64-L72

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L79-L83

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L90-L95

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/DaiGoldAuction.sol#L123

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L84-L133

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L170

Impact

DOS of DaiGoldAuction.setAuctionConfig() , setAuctionStarter(), setBidToken()

DOS of SpiceAuction.setAuctionConfig() , removeAuctionConfig()

Tools Used

Manual review

Recommendations

Consider using only trusted roles to execute startAuction() in both Auction contracts

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.