Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Reentrancy Protection in Critical Functions

thopatevijay

Vulnerability Details:

The bid(), unbid(), auctionEnd(), and claimTokens() functions in the FjordAuction contract interact with external ERC20 tokens without implementing reentrancy guards. While these functions follow the checks-effects-interactions pattern, they remain vulnerable to potential reentrancy attacks if the ERC20 token contracts contain malicious code.

Impact

An attacker could potentially exploit this vulnerability to manipulate auction outcomes, drain funds, or disrupt the auction process. This could lead to financial losses for participants and compromise the integrity of the auction system.

Proof Of Concept:

Link to code

function bid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
bids[msg.sender] = bids[msg.sender].add(amount);
totalBids = totalBids.add(amount);
fjordPoints.transferFrom(msg.sender, address(this), amount);
emit BidAdded(msg.sender, amount);
}

Tools Used:

Manual review

Recommendations:

Implement the nonReentrant modifier from OpenZeppelin's ReentrancyGuard contract on all functions that interact with external contracts.

Example fix:

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
contract FjordAuction is ReentrancyGuard {
function bid(uint256 amount) external nonReentrant {
// ... existing code ...
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.