Malicious user could block a `FjordAuction` admin from deploying new auctions
Summary
The Fjord team utilizes the new CREATE2 mechanism of deploying deterministic contracts by supplying a special salt variable. By doing so they can easily predict the address of a newly deployed contract. However, with the current set-up in FjordAuctionFactory, a malicious user could front-run the creation of the new auction, as all of the deployment variables are sent as arguments in the createAuction(...) method.
Vulnerability Details
The CREATE2 opcode depends on an arbitrary user-provided salt variable, to always produce the same address, allowing users to predict where their new contract will be deployed. The issue in Fjord is that they directly provide the salt as an argument to their contract deployment function, which means that anyone could monitor the transaction pool for the call, get the salt, and front-run the creation, thus making the initial sender's transaction to revert.
Impact
Auction admins can be DoS-ed from deploying new auctions by front-runners. In some cases, if they decide to send funds to the predetermined address before deploying, the funds will be hijacked.
Tools Used
Manual review
Recommendations
Adding msg.sender to the salt argument passed to createAuction(...) will resolve this issue.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.