Fjord Token Staking

Summary

The FjordAuction contract lacks event emissions for critical state changes within the bid function. This oversight reduces transparency and hinders the ability of off-chain systems to accurately track and audit bid activities, potentially leading to confusion and trust issues among participants.

bids[msg.sender] = bids[msg.sender].add(amount);

Vulnerability Details

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L143-L153

1. State Change Without Event:

   • The bid function updates the bids mapping and totalBids variable when a user places a bid.

   • However, no event is emitted to log these changes, making it difficult to track bid activities through event logs.

2. Importance of Events:

   • Events provide an immutable record of significant actions and state changes within a contract.

   • They are crucial for off-chain monitoring, enabling systems to efficiently track and respond to contract activities.

3. Proof of Concept:

   • Deploy the FjordAuction contract and have a user place a bid using the bid function.

   • Attempt to track the bid activity through event logs.

   • Observe that no event is emitted, making it challenging to verify the bid through standard off-chain tools.

Impact

Without event emissions, it becomes difficult for participants and observers to track bid activities and verify changes in the contract's state.

Tools Used

• Manual review

Recommendations

Introduce an event, such as BidPlaced, to log bid activities. Emit this event whenever a bid is placed: