Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Input Validation in `AuctionFactory::createAuction` Function

wizard

Summary

The createAuction function lacks proper input validation for the auctionToken, biddingTime, or totalTokens parameters. If auctionToken is an invalid address address(0) or if biddingTime is set to 0. this will lead to problems when creating the auction contract.

Vulnerability Details

The createAuction function does not validate the inputs passed to it, the auctionToken, biddingTime, and totalTokens parameters.

auctionToken: If this address is invalid (address(0)), the auction will fail to function correctly since it won't have a valid token to auction.
biddingTime: If this is set to 0, the auction could end immediately after its creation, preventing any bids from being placed.
totalTokens: If this is set to 0, the auction will distribute no tokens, rendering the auction pointless.

Impact

Without input validation, auctions could be created with invalid parameters, leading to failed or malfunctioning auctions. This could result in the loss of auction functionality, wasted gas fees, and potential loss of tokens or funds.

Tools Used

Manual Review

Recommendations

Implement input validation to ensure that:

auctionToken is a valid non-zero address.
biddingTime is greater than 0.
totalTokens is greater than 0.

and use custom errors to revert in case the input validation fails.

error NotOwner();

error InvalidAddress();

error InvalidBiddingTime();

error InvalidTokenAmount();

+++++++Rest Of the Code++++++

function createAuction(

address auctionToken,

uint256 biddingTime,

uint256 totalTokens,

bytes32 salt

) external onlyOwner {

// Validate inputs

++ if (auctionToken == address(0)) revert InvalidAddress();

++ if (biddingTime == 0) revert InvalidBiddingTime();

++ if (totalTokens == 0) revert InvalidTokenAmount();

address auctionAddress = address(

new FjordAuction{ salt: salt }(fjordPoints, auctionToken, biddingTime, totalTokens)

);

IERC20(auctionToken).transferFrom(msg.sender, auctionAddress, totalTokens);

emit AuctionCreated(auctionAddress);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.