Assuming decimals of auction token is 18 is risky
Summary
The FjordAuction::auctionEnd() function assumes that the auction tokens have 18 decimals. This assumption is risky because many tokens, such as USDC, have different decimals.
Vulnerability Details
The multiplier for claimable tokens is calculated using the following formula:
Here, decimals of bid point is 18. However, this formula implicitly assumes that the auction tokens also have 18 decimals. If the auction token has a different number of decimals, such as 6 for USDC, this assumption can lead to incorrect calculations.
Impact
Unexpect rounding down causes loss of assets.
For example, given:
totalTokensof USDC is 100e6totalBidsof point is 1000000000e18
multiplier = 100e6 * 1e18 / 1000000000e18 = 0, resulting in claimable auction tokens being zero.
Tools Used
vscode
Recommendations
Normalize the decimals of the auction token to 18 before performing further calculations.
Lead Judging Commences
Low decimal tokens or super small bids can lead to 0 claims
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.