Submission Details
Severity:
`FjordAuction::bid` dooes not check for return values neither revert in failed transactions
**Description:** The `FjordAuction::bid` function does not check for return values in `transferFrom` call, either way not all tokens return value here.
**Impact:** Transfer can fail but the bid will be put in place.
```javascript
function bid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
bids[msg.sender] = bids[msg.sender].add(amount);
totalBids = totalBids.add(amount);
@> fjordPoints.transferFrom(msg.sender, address(this), amount);
emit BidAdded(msg.sender, amount);
}
```
**Recommended Mitigation:** Use the SafeERC20 library from openzeppelin
```diff
+ import {SafeERC20} from "lib/openzeppelin-contracts/contracts/token/ERC20/utils/SafeERC20.sol";
.
.
.
contract FjordAuction {
+ using SafeERC20 for ERC20;
.
.
.
function bid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
bids[msg.sender] = bids[msg.sender].add(amount);
totalBids = totalBids.add(amount);
- fjordPoints.transferFrom(msg.sender, address(this), amount);
+ fjordPoints.safeTransferFrom(msg.sender, address(this), amount);
emit BidAdded(msg.sender, amount);
}
```
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.