Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Boundaries should be defined in `FjordAuction.sol` as a safeguard to ensure that auction duration (`_biddingTime`) is of a reasonable range

hlx

Summary

The FjordAuction.sol auction contract provided lacks defined boundaries for the auction duration, potentially allowing for unintentional unreasonably short or excessively long auction periods. Proper boundaries should be set as a safeguard to ensure that the auction duration falls within a reasonable and intended range.

Vulnerability Details

The FjordAuction.solauction contract allows the auction duration to be set through the _biddingTime parameter in the constructor. However, there are no checks or boundaries in place to ensure that this duration is within a reasonable range.

constructor(
address _fjordPoints,
address _auctionToken,
uint256 _biddingTime,
uint256 _totalTokens
) {
if (_fjordPoints == address(0)) {
revert InvalidFjordPointsAddress();
}
if (_auctionToken == address(0)) {
revert InvalidAuctionTokenAddress();
}
fjordPoints = ERC20Burnable(_fjordPoints);
auctionToken = IERC20(_auctionToken);
owner = msg.sender;
auctionEndTime = block.timestamp.add(_biddingTime);
totalTokens = _totalTokens;
}

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L120-L137

Without these boundaries, the following risks arise:

  • Extremely Short Auctions: The auction could be accidently set to an extremely short duration, potentially just a few seconds, which might not give users enough time to place bids. This could lead to an unfair auction where only a few participants can take part and potentially monopolize the prize pool with very little points.

  • Excessively Long Auctions: Conversely, the auction duration could be accidently set to an excessively long period, potentially lasting years or indefinitely. This would prevent the auction from concluding in a timely manner.

This lack of boundaries could disrupt the intended auction process and negatively impact user experience.

Impact

  1. Participants may be unable to participate effectively if the auction duration is too short. If the duration is too long, users may lose interest, and the auction may fail to attract sufficient participation.

  2. An auction that lasts indefinitely could result in operational inefficiencies, with the auctionTokens and contract being locked in an ongoing auction state without resolution. This could also tie up resources and tokens indefinitely.

  3. An extremely short auction duration might be exploited by attackers who can programmatically place bids faster than regular users, thus monopolizing the auction process.

Tools Used

Manual review.

Recommendations

Introduce minimum and maximum duration limits to ensure the auction duration is within a reasonable range. For example:

uint256 public constant MIN_AUCTION_DURATION = 1 hours; // Minimum auction duration
uint256 public constant MAX_AUCTION_DURATION = 30 days; // Maximum auction duration
constructor(
address _fjordPoints,
address _auctionToken,
uint256 _biddingTime,
uint256 _totalTokens
) {
require(_biddingTime >= MIN_AUCTION_DURATION && _biddingTime <= MAX_AUCTION_DURATION, "Auction duration out of bounds");
// rest of the constructor logic...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.