`bid` and `unbid` at `auctionEndTime` can be front-run by calling `auctionEnd`
Summary
If some users want to bid or unbid at auctionEndTime, maicious attacker can front-run users' tx and call auctionEnd in advance. The users' bid and unbid will revert.
Vulnerability Details
FjordAuction::bid
FjordAuction::unbid
FjordAuction::auctionEnd
From above code, if block.timestamp is equal to auctionEndTime, The three function (bid/unbid/auctionEnd) can be called.
If some users want to bid or unbid at auctionEndTime, maicious attacker can front-run users' tx and call auctionEnd in advance. The users' bid and unbid will revert.
Impact
If some users want to bid or unbid at auctionEndTime, maicious attacker can front-run users' tx and call auctionEnd in advance. The users' bid and unbid will revert.
Tools Used
manual
Recommendations
Lead Judging Commences
Users can bid in the same block when the actionEnd could be called (`block.timestamp==actionEndTime`), depending on the order of txs in block they could lose funds
The protocol doesn't properly treat the `block.timestamp == auctionEndTime` case. Impact: High - There are at least two possible impacts here: 1. By chance, user bids could land in a block after the `auctionEnd()` is called, not including them in the multiplier calculation, leading to a situation where there are insufficient funds to pay everyone's claim; 2. By malice, where someone can use a script to call `auctionEnd()` + `bid(totalBids)` + `claimTokens()`, effectively depriving all good faith bidders from tokens. Likelihood: Low – The chances of getting a `block.timestamp == auctionEndTime` are pretty slim, but it’s definitely possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.