Incorrect Accounting for `_totalAuctionTokenAllocation[token]` in `recoverToken()` Function
Summary
The SpicyAuction::recoverToken() function allows the recovery of auction tokens without updating the _totalAuctionTokenAllocation[token]. This can lead to incorrect calculation of epochAuctionTokenAmount in the next auction epoch, causing locking of auction tokens.
Vulnerability Details
The _totalAuctionTokenAllocation[token] tracks total allocation of auction token Temple Gold.
The function SpicyAuction::recoverToken() recovers Temple Gold from the auction contract without subtracting withdrawn token amount from _totalAuctionTokenAllocation[token], resulting in the amount of auction token (epochAuctionTokenAmount) is smaller in the next auction epoch.
Where,
The
totalAuctionTokenAllocation[token]remains unchanged afterrecoverToken();As some auction tokens have been recovered, the
balanceof auction token is decreased.As a result, the
epochAuctionTokenAmountis smaller than it should be, equating to the amount of recovered auction token.
Impact
The same amount of recovered auction tokens cannot be distributed by the auction and will be locked.
Tools Used
vscode
Recommendations
Update the _totalAuctionTokenAllocation[token] accordingly.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.