Summary

A bidder can potentially monitor the auction and place a significantly higher bid in the final moments

Vulnerability Details

The current implementation of the contract is vulnerable to auction sniping. A bidder can potentially monitor the auction and place a significantly higher bid in the final moments, securing a disproportionate share of the totalTokens at the expense of earlier bidders. This behavior can lead to:

Unfair Token Distribution: Last-second bids can overshadow earlier bids, resulting in an inequitable allocation of tokens.
Reduced Participation: The anticipation of auction sniping may discourage participation, leading to fewer bids and less effective price discovery.
Market Distortion: The final token price may not accurately reflect the true market demand, as other participants do not have time to react to the sniping bid.

Proof of Concept (PoC)

• Assume an auction has been running for an hour, with 10 bidders collectively contributing 1,000 FjordPoints.
  The auctionEndTime is set for 12:00 PM.

• At the last minute, a new bidder places a bid of 10,000 FjordPoints, raising the totalBids to 11,000 FjordPoints.

• The last-second bidder now controls approximately 90.9% of the totalTokens, leaving the previous 10 bidders to share only 9.1% of the tokens.
  Earlier bidders are disadvantaged as they had no time to react or adjust their bids.

Impact

A bidder can potentially monitor the auction and place a significantly higher bid in the final moments.

Tools Used

Manual Review

Recommendations

Implement an auction extension mechanism. This mechanism would automatically extend the auction's end time by a predefined period (e.g., 5 minutes) if a bid is placed within the last few minutes before the scheduled end time. Here’s how this can be implemented: