Exploiters can easily manipulate the auction dynamics by placing large bids
Summary
In the current implementation of contract FjordAuction, users can withdraw their bids at any time before the auction ends without facing any restrictions. This allows exploiters to manipulate the auction by placing large bids to intimidate other bidders, only to withdraw most of their bid later, leaving a smaller final bid while still claiming a significant portion of the auction tokens.
Vulnerability Details
-
Exploiter's Strategy: An exploiter places a very large bid, say 1000 FjordPoints, to scare off other bidders.
-
Effect: Other bidders will get discouraged from bidding.
-
Withdrawal Before Auction End: As the auction nears its end, the exploiter withdraws 900 FjordPoints, leaving only 100 FjordPoints as their final bid.
-
Outcome: The exploiter ends up claiming a disproportionately large share of the auction tokens based on their remaining 100 FjordPoints, despite withdrawing most of their bid.
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
Impact
Exploiters can manipulate the auction to their advantage by artificially inflating the bidding amount to intimidate others, only to withdraw most of their bid later. This can lead to unfair outcomes where the exploiter gains a disproportionate amount of auction tokens compared to the true final bid amounts.
Tools Used
Manual Code Review
Recommendations
Restrict Withdrawals Close to Auction End(Other users will also get time to bid)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.