Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User Could Manipulate Auction to Acquire Tokens for Cheap

atoko

Summary

Users could get tokens for cheap

Vulnerability Details

The current auction contract allows users bid with any amount of points which could introduce issues in the auction process, If there are very few participants in the auction, or if the total amount bid is very low, the auction tokens will still be distributed among those who did bid, regardless of how small their bids were. users might decide to manipulate the bidding process by placing an initially large bid to discourage other participants from bidding, and then withdrawing most of their bid just before the auction ends. enabling them to acquire auction tokens at a much lower cost than intended. Such manipulation can undermine the fairness of the auction, lead to a significant loss of value for the project, and result in reduced trust from participants.

/**

* @notice Places a bid in the auction.

* @param amount The amount of FjordPoints to bid.

function bid(uint256 amount) external {

if (block.timestamp > auctionEndTime) {

revert AuctionAlreadyEnded();

}

bids[msg.sender] = bids[msg.sender].add(amount);

totalBids = totalBids.add(amount);

fjordPoints.transferFrom(msg.sender, address(this), amount);

emit BidAdded(msg.sender, amount);

}

Without a minimum bid requirement, even trivial bids could result in a user receiving a significant portion of the auction tokens.

Proof of Concept (PoC)

Initial Large Bid:

A user places a very large bid early in the auction. This large bid dissuades other users from participating, as it appears that the auction is heavily contested.
Example: A user bids 10,000 FjordPoints early in the auction.
Other potential bidders are discouraged from participating due to the high bid. The auction appears to be dominated by the large bid, reducing competition.
ust before the auction ends, the original bidder withdraws a significant portion of their bid, leaving only a minimal amount in the auction.
Example: The user withdraws 9,990 FjordPoints, leaving only 10 FjordPoints as their bid.
Due to the lack of competition and the late withdrawal, the remaining auction tokens are distributed based on the small remaining bid. The manipulative bidder ends up acquiring a disproportionate share of the tokens for a fraction of the cost.
The user claims a large portion of the auction tokens with only 10 FjordPoints, instead of the 10,000 initially committed.

Impact

Users could get tokens for cheap

Tools Used

manual review

Recommendations

Enforce a minimum bid amount to ensure that every bid has a significant impact on the auction, preventing small bids from disproportionately influencing the outcome.

Bid Locking in Final Stage: Implement a rule that locks bids in place for a certain period before the auction ends. During this final stage, users should be unable to withdraw their bids, preventing last-minute manipulations.

Withdrawal Penalties: Consider adding penalties for late withdrawals, where a percentage of the withdrawn amount is forfeited or burned, discouraging strategic bid retractions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.