Removing an auction config breaks the accounting
Summary
SpiceAuction.removeAuctionConfig can be used to remove a config for the current epoch's auction if it hasn't started yet. Because the state is not updated properly, this action will break the accounting of the contract.
Vulnerability Details
This is the code that does the deletion.
It removes the auction config and the epoch info. It also decreases the value of _currentEpochId. The intention is that the DAO will set a new epoch config and startAuction will be called again for the same epoch. So, removeAuctionConfig is like an undo operation for startAuction and setAuctionConfig.
The problem is that not all state changes done in startAuction are reversed in removeAuctionConfig. When starting an auction, the _totalAuctionTokenAllocation state variable is increased with the current epoch's token amount, but it's never decreased.
This means whenever startAuction is called after config removal, _totalAuctionTokenAllocation will still hold the old cumulated value and the new epoch's token amount will be added on top of that.
Impact
Because _totalAuctionTokenAllocation is a crucial state variable which is used to calculate things like how much tokens are currently available and etc., the contract's logic will be completely broken. There may also be cases where overflows happen.
Tools Used
Manual Review
Recommendations
Subtract the epoch's token amount from the total amount before deleting the epoch info.
Lead Judging Commences
missing totalAuctionTokenAllocation deduction in removeAuctionConfig leads to stuck funds
Appeal created
missing totalAuctionTokenAllocation deduction in removeAuctionConfig leads to stuck funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.