two auctions can be started with less than auctionsTimeDiff time difference
Summary
In DaiGoldAuction, it is possible to start two auctions with less than config.auctionsTimeDifftime difference.
Vulnerability Details
function recoverTokenis used to recover the templeTokenfor auction which is in cooldown. The amount is specified which is to be recovered and remaining is added in next auction. The function also deletes the data for that epochId which means that auction doesn't exist anymore.
Due to this deletion, it is possible to start an auction even if config.auctionsTimeDifftime hasn't passed. The startAuctionfunction has following checks:
As _currentEpochIdis not updated in recoverTokenand the epochInfodata corresponding to it is deleted, prevAuctionInfo.endTimewill be 0. So, the condition prevAuctionInfo.endTime + config.auctionsTimeDiff > block.timestampwill always pass because config.auctionsTimeDiffwill generally be 1 weeks or 2 weeks. Due to this, it will be possible to start an auction as soon as recoverTokenis called.
Impact
New auction can be started with less difference of auctionsTimeDiff.
Tools Used
Manual review
Recommendations
Do not delete whole epochInfoin recoverToken.
Lead Judging Commences
two auctions can be started with less than auctionsTimeDiff time difference due to recoverToken deleting the epochs[epochId]
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.