Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Attacker can manipulate auction results by frontrunning `auctionEnd`

4gontuk

Summary

The auctionEnd function in the FjordAuction contract can be called by anyone once the auction end time has passed. This creates a vulnerability where an attacker can manipulate the final state of the auction by frontrunning the auctionEnd function with a series of transactions that temporarily inflate the totalBids, resulting in an artificially low multiplier for token distribution.

Vulnerability Details

The auctionEnd function is designed to finalize the auction, calculate the token distribution multiplier, and burn the FjordPoints. This function can be called by anyone once the auction end time has passed. The relevant part of the code is:

File: FjordAuction.sol

181: function auctionEnd() external {

182: if (block.timestamp < auctionEndTime) {

183: revert AuctionNotYetEnded();

184: }

185: if (ended) {

186: revert AuctionEndAlreadyCalled();

187: }

188:

189: ended = true;

190: emit AuctionEnded(totalBids, totalTokens);

191:

192: if (totalBids == 0) {

193: auctionToken.transfer(owner, totalTokens);

194: return;

195: }

196:

197: multiplier = totalTokens.mul(PRECISION_18).div(totalBids);

198:

199: // Burn the FjordPoints held by the contract

200: uint256 pointsToBurn = fjordPoints.balanceOf(address(this));

201: fjordPoints.burn(pointsToBurn);

202: }

The issue arises because the auctionEnd function can be called by anyone, allowing an attacker to manipulate the final state of the auction through a series of carefully timed transactions. The attacker can place a large bid just before the auction ends, call auctionEnd to set the multiplier based on the inflated totalBids, and then withdraw their bid, restoring their funds but leaving the multiplier artificially low.

Impact

The final token distribution can be unfairly manipulated, causing honest participants to receive fewer tokens than they should. This compromises the integrity and fairness of the auction process, leading to potential financial loss for participants and loss of trust in the auction system.

Proof of Concept

Auction End Time Approaching:
- The auction is about to end, and participants have placed their bids.
Attacker's Actions:
- The attacker places a large bid just before the auction end time.
- The attacker calls auctionEnd, setting the multiplier based on the inflated totalBids.
- The attacker withdraws their bid, restoring their funds.
Result:
- The multiplier is lower than it should be, causing other participants to receive fewer tokens.
- The attacker has manipulated the auction to their advantage.

Tools Used

Manual review

Recommendation

To prevent this manipulation, implement a time-delay mechanism for ending the auction and a commit-reveal scheme for final bids. This approach ensures that the auction end process is more secure and less susceptible to manipulation.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.