TempleGold

Summary

In DaiGoldAuction,Attacker can start auction by calling startAuctionbefore elevated access address has set up auctionConfigor auctionStarter. This can cause DoS to elevated access functions like setAuctionConfig, setAuctionStarterand setBidToken.

Vulnerability Details

startAuctiondoesn't check if auctionConfigor auctionStarterare set by an address of elevated access. So, attacker can frontrun this config setup address and calls startAuction. The auction will be successfully started. Since setAuctionConfig, setAuctionStarterand setBidTokenhas following check implemented, elevated access address won't be able to update the auctionConfig, auctionStarteror bidTokenuntil the auctionis ended. Once the auction ends, the attacker can again call startAuctionby frontrunning and auction will be started successfully because of config.auctionsTimeDiffbe 0. Attacker can do this everytime auction ends. Also, the elevated access address won't be able to recover any tokens for an auction started by an attacker because config.auctionStartCooldown will be 0 and new auction will be active in the same block of ending of old auction.

Steps to reproduce:

1) Admin calls setAuctionConfig.

2) Attacker frontruns the step 1 from admin and calls startAuction. Due to this, step 1 from admin will revert.

3) Auction started by attacker ends.

4) Attacker again calls startAuctionand new auction will be started because all conditions will pass.

Impact

The attacker can cause permanent DoS to elevated access functions. Admin won't be able to update or set auctionConfig, auctionStarteror bidToken.

Tools Used

Manual review

Recommendations

Add the checks in startAuctionfunction to ensure that config and auctionStarter is properly set.