Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

a user can manipulate the `totalBids` by placing or withdrawing bids in a way that affects the multiplier calculation, they might end up with more tokens than intended.

daniel526

Summary

The FjordAuction contract allows users to place and withdraw bids, affecting the totalBids variable. The multiplier, which determines the amount of auction tokens each FjordPoint converts into, is calculated based on totalBids:

multiplier = totalTokens.mul(PRECISION_18).div(totalBids);

When users place bids, totalBids increases, causing the multiplier to decrease. Conversely, when users withdraw bids, totalBids decreases, potentially increasing the multiplier. This fluctuation can be exploited in the following way:

Vulnerability Details

  1. Suppose:

  • totalTokens =

  • totalBids =

  • multiplier =

  1. A user bids FjordPoints, increasing totalBids to :
    multiplier =

  2. If the user then withdraws their bid, totalBids goes back to , but the multiplier remains at the old value before withdrawal.

  3. The user could now claim tokens based on the initial calculation (which might be higher than intended if other users haven’t adjusted their bids or claims).

  4. Initial Bid Placement:
    A user places a significant bid, which increases totalBids and reduces the multiplier, resulting in fewer tokens per FjordPoint.

  5. Token Claiming:
    The user claims their tokens at a reduced rate due to the lower multiplier.

  6. Bid Withdrawal:
    The user withdraws their bid, reducing totalBids and increasing the multiplier. If the user re-bids or claims tokens, they might benefit from a higher multiplier than initially intended.

The relevant code for bid placement and withdrawal is:

function bid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
bids[msg.sender] = bids[msg.sender].add(amount);
totalBids = totalBids.add(amount);
fjordPoints.transferFrom(msg.sender, address(this), amount);
emit BidAdded(msg.sender, amount);
}
function unbid(uint256 amount) external {
if (block.timestamp > auctionEndTime) {
revert AuctionAlreadyEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoBidsToWithdraw();
}
if (amount > userBids) {
revert InvalidUnbidAmount();
}
bids[msg.sender] = bids[msg.sender].sub(amount);
totalBids = totalBids.sub(amount);
fjordPoints.transfer(msg.sender, amount);
emit BidWithdrawn(msg.sender, amount);
}

Impact

Manipulating the totalBids by placing and withdrawing bids can lead to users claiming more tokens than they should based on their actual contribution. This discrepancy can undermine the fairness of the auction and result in an uneven distribution of tokens.

Tools Used

Manual

Recommendations

The multiplier should be recalculated at the time of each token claim to reflect the current totalBids.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.