TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

removeAuctionConfig doesn't handle _totalAuctionTokenAllocation

pyro

Summary

The function removeAuctionConfig forgets to reduce _totalAuctionTokenAllocation, leaving the tokens stuck inside the contract.

Vulnerability Details

When an auction is started, startAuction calculates how many tokens this auction will allocate (epochAuctionTokenAmount) and adds them to _totalAuctionTokenAllocation.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L158-L173

uint256 totalAuctionTokenAllocation = _totalAuctionTokenAllocation[auctionToken];
uint256 balance = IERC20(auctionToken).balanceOf(address(this));
uint256 epochAuctionTokenAmount = balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]);
...
_totalAuctionTokenAllocation[auctionToken] = totalAuctionTokenAllocation + epochAuctionTokenAmount;

If necessary, an auction can be stopped and removed using removeAuctionConfig. However, the function's first if case doesn't reverse everything that startAuction or setAuctionConfig do. It only deletes auctionConfigs and epochs but forgets to remove epochAuctionTokenAmount from _totalAuctionTokenAllocation.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/SpiceAuction.sol#L119-L126

if (!configSetButAuctionStartNotCalled) {
if (info.hasEnded()) { revert AuctionEnded(); }
delete auctionConfigs[id];
delete epochs[id];
_currentEpochId = id - 1;
emit AuctionConfigRemoved(id, id);

Since the tokens allocated inside _totalAuctionTokenAllocation are not accounted for (i.e., _totalAuctionTokenAllocation is not reduced by epochAuctionTokenAmount), they essentially become stuck inside the contract. This is because on every startAuction, the new auction amount is calculated by balance - (totalAuctionTokenAllocation - _claimedAuctionTokens[auctionToken]).

Impact

Auction tokens are left stuck inside the contract.

Tools Used

Manual review

Recommendations

Reduce _totalAuctionTokenAllocation when deleting the epoch.

+ (,address auctionToken) = _getBidAndAuctionTokens(auctionConfigs[id]);
+ _totalAuctionTokenAllocation[auctionToken] -= info.totalAuctionTokenAmount;
delete auctionConfigs[id];
delete epochs[id];
_currentEpochId = id - 1;
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

missing totalAuctionTokenAllocation deduction in removeAuctionConfig leads to stuck funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.