TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Risk of protocol Losses Due to Very Low Bids in DaiGoldAuction

dianivanov

Summary

The DaiGoldAuction contract allows users to bid very small amounts of tokens. This can lead to significant protocol losses because even minimal bids can claim a disproportionate share of the distributed Temple Gold.

Vulnerability Details

In the DaiGoldAuction contract, users can bid with very small amounts of tokens.

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/DaiGoldAuction.sol#L132C1-L143C6

function bid(uint256 amount) external virtual override onlyWhenLive {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
bidToken.safeTransferFrom(msg.sender, treasury, amount);
uint256 epochIdCache = _currentEpochId;
depositors[msg.sender][epochIdCache] += amount;
EpochInfo storage info = epochs[epochIdCache];
info.totalBidTokenAmount += amount;
emit Deposit(msg.sender, epochIdCache, amount);
}

The claim amount of Temple Gold is calculated based on the proportion of the user's bid to the total bid amount. If a large number of users bid very small amounts, they can still claim significant portions of the Temple Gold distributed, potentially leading to substantial losses for the protocol.

For example if only 3 players bid and each one of them bid 1 amount of token they all get 33% of TempleGOLD

function claim(uint256 epochId) external virtual override {
/// @notice cannot claim for current live epoch
EpochInfo storage info = epochs[epochId];
if (!info.hasEnded()) { revert CannotClaim(epochId); }
/// @dev epochId could be invalid. eg epochId > _currentEpochId
if (info.startTime == 0) { revert InvalidEpoch(); }
uint256 bidTokenAmount = depositors[msg.sender][epochId];
if (bidTokenAmount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
delete depositors[msg.sender][epochId];
> uint256 claimAmount = bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false);
templeGold.safeTransfer(msg.sender, claimAmount);
emit Claim(msg.sender, epochId, bidTokenAmount, claimAmount);
}

The calculation bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false) can result in significant claims even for very small bid amounts if the total bid amount is low, leading to financial losses for the protocol.

Impact

If bidders place very low bids, they can still claim a considerable percentage of the distributed Temple Gold, causing substantial financial losses for the protocol.

Likelihood seems like very LOW, but not impossible. Impact looks like hight because the protocol gets very low amounts of bids but pays big TempleGOLD amounts. Hence the severity - High/Medium

Tools Used

Manual Review

Recommendations

Implement a minimum bid amount to ensure that only meaningful bids can participate in the auction. This can help prevent the protocol from distributing big rewards for low bids.

function bid(uint256 amount) external virtual override onlyWhenLive {
- if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
+ if (amount < MINIMUM_BID_ALLOWED) { revert(); }
//@auditSUBMITED follow CEI in case of trasferFrom uses callbacks
bidToken.safeTransferFrom(msg.sender, treasury, amount);
uint256 epochIdCache = _currentEpochId;
depositors[msg.sender][epochIdCache] += amount;
EpochInfo storage info = epochs[epochIdCache];
info.totalBidTokenAmount += amount;
emit Deposit(msg.sender, epochIdCache, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.