TempleGold

Summary

setAuctionStarter() can be permanently denied of setting non-zero address as a result of startAuction() design

Vulnerability Details

setAuctionStarter() can only be called by "onlyElevatedAccess" and the function can either set auctionStarter address to address(0) or a non-zero address. However, the issue is that the function can be blocked continously by a malicious user to not being able to set auctionStarter to an adddress that is not a zero address.

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L79C5-L85C1

This can be done by frontrunning the startAuction function when the contract is first deployed and before "onlyElevatedAccess" calls setAuctionStarter() with a real address as the auctionStarter. Also, the issue of denying "onlyElevatedAccess" from setting a real address apart from zero address would persist through frontrunning the startAuction() whenever address(0) is set as the auctionStarter

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/DaiGoldAuction.sol#L104

The startAuction() allows anyone to call the function so far no address has been set as the auctionStarter or address(0) is set as the auctionStarter and an auction has ended. This makes it easy for a malicious user to deny "onlyElevatedAccess" to ever setting a real address different from address(0).

Case 1 - when the contract is first deployed
A malicious user can frontrun "onlyElevatedAccess" before "onlyElevatedAccess" calls setAuctionStarter() by calling startAuction(). By this, epoch, startTime, and endTime would have been set. So, it would be impossible to call setAuctionStarter() or startAuction() until an auction has eneded.

Even when an auction ends plus the waitig time, the malicious user can still frontrun "onlyElevatedAccess" before it calls setAuctionStarter() by calling startAuction again.

Case 2 - when "onlyElevatedAccess" initially sets auctionStarter to address(0) in setAuctionStarter()
The auctionStarter is currently set to address(0).

• An account with "onlyElevatedAccess" privilege plans to call setAuctionStarter().

• This call would set auctionStarter to a real, non-zero address.

• However, a malicious user can observe this pending transaction in the mempool.

• The malicious user can then quickly submit their own startAuction() transaction.

• They set a higher gas fee to ensure their transaction is processed first.

• This allows the malicious user to call startAuction() before auctionStarter is changed.

• The malicious user succeeds in starting the auction when they shouldn't have been able to.

• This action effectively front-runs the intended setAuctionStarter() transaction.

This can continue on and on.

Impact

Permanent denial of service by rendering setAuctionStarter not being able to set a real address.

Tools Used

Manual review

Recommendations

It is suggested that startAuction() should be restricted and callable by a privileged address.