Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No check for zero amount bid in the `bid` function

akay

Summary

The bid function in the FjordAuction contract does not validate that the bid amount is greater than zero, potentially allowing users to place zero amount bids. This could lead to unnecessary state changes and gas consumptions as well as even complicate the auction's accounting process.

Vulnerability Details

Looking at the bid function:

function bid(uint256 amount) external {

if (block.timestamp > auctionEndTime) {

revert AuctionAlreadyEnded();

}

bids[msg.sender] = bids[msg.sender].add(amount);

totalBids = totalBids.add(amount);

fjordPoints.transferFrom(msg.sender, address(this), amount);

emit BidAdded(msg.sender, amount);

}

There is no check to ensure that the amount parameter is greater than zero. This allows users to submit bids with zero value, which are processed as valid bids by the contract.

Impact

Unnecessary state changes and gas consumption for zero-value bids. It can also complicate the auction accounting and final token distribution calculations.

Tools Used

Manual code review

Recommendations

Implement a check at the beginning of the bid function to ensure the bid amount is greater than zero:

function bid(uint256 amount) external {

if (amount == 0) {

revert InvalidBidAmount();

}

// ... rest of the function

}

Also add a new custom error for invalid bid amounts:

error InvalidBidAmount();

Consider making these changes to the unbid function as well:

function unbid(uint256 amount) external {

if (amount == 0) {

revert InvalidUnbidAmount();

}

// ... rest of the function

}

These changes will ensure that all bids and unbids have a positive value thus, preventing potential issues related to zero-value transactions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.