TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Wrong condition in `SpiceAuction.recoverToken`

ZdravkoHr

Summary

SpiceAuction.recoverToken() is meant to be used for recovering tokens before startAuction has been called. The check for this condition is wrong.

Vulnerability Details

recoverToken takes the available tokens before an epoch auction has started and sends them to a chosen address.

There are several comments in the code indicating it's meant to be used before startAuction has been called.

@notice Recover auction tokens for last but not started auction
/// @dev use `removeAuctionConfig` for case where `auctionStart` is called and cooldown is still pending
if (info.startTime == 0) { revert InvalidConfigOperation(); }
/// @dev Now `auctionStart` is not triggered but `auctionConfig` is set (where _currentEpochId is not updated yet)

``
However, as we can see from the second code snippet, the function will always revert when info.startTime == 0. This is opposite to the original intention.

Impact

In result, the function will not allow tokens to be retrieved before startAuction has been called and will allow it after that which can mess up accounting.

Tools Used

Manual Review

Recommendations

Flip the condition

- if (info.startTime == 0) { revert InvalidConfigOperation(); }
+ if (info.startTime != 0) { revert InvalidConfigOperation(); }
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.