Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Use of "onlyOwner" modifier in createAuction functions restricts user from creating auctions

sabit

Summary

Use of "onlyOwner" modifier in createAuction functions restricts user from creating auctions.

Vulnerability Details

The createAuction function in the AuctionFactory contract is restricted to be called only by the owner of the factory contract due to the onlyOwner modifier.

function createAuction(
address auctionToken,
uint256 biddingTime,
uint256 totalTokens,
bytes32 salt
) external onlyOwner {
address auctionAddress = address(
new FjordAuction{ salt: salt }(fjordPoints, auctionToken, biddingTime, totalTokens)
);
// Transfer the auction tokens from the msg.sender to the new auction contract
IERC20(auctionToken).transferFrom(msg.sender, auctionAddress, totalTokens);
emit AuctionCreated(auctionAddress);
}

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuctionFactory.sol#L52C3-L66C6

Only the owner of the AuctionFactory can create new auctions, which defeats the purpose of a decentralized auction system where anyone should be able to create an auction.

Users who want to create auctions must go through the owner, making it impossible for users to create auction.

Impact

Users can't create auction due to "onlyOwner" restriction.

Tools Used

Manual review

Recommendations

Remove the onlyOwner modifier from the createAuction function to allow any user to create auctions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.