Submission Details
Severity:
`FjordAuction::unbid` dooes not check for return values neither revert in failed transactions
**Description:** The `FjordAuction::unbid` function does not check for return values in `transferFrom` call, either way not all tokens return value here.
**Impact:** Transfer can fail but the mappings will be updated with the user ending without receiving the money.
```javascript
function unbid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoBidsToWithdraw();
}
if (amount > userBids) {
revert InvalidUnbidAmount();
}
bids[msg.sender] = bids[msg.sender].sub(amount);
totalBids = totalBids.sub(amount);
@> fjordPoints.transfer(msg.sender, amount);
emit BidWithdrawn(msg.sender, amount);
}
```
**Recommended Mitigation:** Use the SafeERC20 library from openzeppelin
```diff
+ import {SafeERC20} from "lib/openzeppelin-contracts/contracts/token/ERC20/utils/SafeERC20.sol";
.
.
.
contract FjordAuction {
+ using SafeERC20 for ERC20;
.
.
.
function unbid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoBidsToWithdraw();
}
if (amount > userBids) {
revert InvalidUnbidAmount();
}
bids[msg.sender] = bids[msg.sender].sub(amount);
totalBids = totalBids.sub(amount);
- fjordPoints.transfer(msg.sender, amount);
+ fjordPoints.safeTransfer(msg.sender, amount);
emit BidWithdrawn(msg.sender, amount);
}
}
```
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.