TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Attackers can claim for past epochs... Leading to lose of funds from the contract

Baptizer

Summary

Attackers can claim for past epochs... Leading to lose of funds from the contract.

Vulnerability Details

Again, here is the claimfunction in the DAIGold.solcontract:

function claim(uint256 epochId) external virtual override {
/// @notice cannot claim for current live epoch
EpochInfo storage info = epochs[epochId];
if (!info.hasEnded()) { revert CannotClaim(epochId); }
/// @dev epochId could be invalid. eg epochId > _currentEpochId
if (info.startTime == 0) { revert InvalidEpoch(); }
uint256 bidTokenAmount = depositors[msg.sender][epochId];
if (bidTokenAmount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
delete depositors[msg.sender][epochId];
uint256 claimAmount = bidTokenAmount.mulDivRound(info.totalAuctionTokenAmount, info.totalBidTokenAmount, false);
templeGold.safeTransfer(msg.sender, claimAmount);
emit Claim(msg.sender, epochId, bidTokenAmount, claimAmount);
}

The ability to successfully claim tokens can be called by anyone. Even though the developers assume this will be called by honest users, attackers can exploit this function.

There are 3 checks above: 2 for timing, and 1 against 0 amounts. But none is against those who have never deposited, but want to claim.

Logically, this line templeGold.safeTransfer(msg.sender, claimAmount);will also work for attackers.

Impact

Loss of funds.

Tools Used

Manual review.

Recommendations

Checkmate against the possibility of those who never deposited from claiming.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.