Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Restrictions on unbid Allows Last-Minute Withdrawal, Leading to Auction Manipulation

kildren

Relevant GitHub Links

unbid

Summary

The FjordAuction contract's lack of restrictions on the unbid function can be exploited by attackers to manipulate auction outcomes and gain assets at lower than expected prices.

Vulnerability Details

In the FjordAuction contract, bidders can initially bid a large number of points to artificially inflate the auction price. This tactic can deter other potential bidders. At the last moment, just as the auction conditions are met for ending, the attacker can call unbid followed by auctionEnd, acquiring the auctioned tokens for a minimal cost.

Proof of Concept (POC)
By performing a last-moment unbid of a substantial amount of points, an attacker can acquire significant auction tokens at the cost of just 1 point.

Add the following test to test/unit/auction.t.sol:

function testUnbidBeforeAuctionEnd() public {

address bidder = address(0x2);

uint256 bidAmount = 100 ether;

uint256 unbidAmount = 50 ether;

deal(address(fjordPoints), bidder, bidAmount);

vm.startPrank(bidder);

fjordPoints.approve(address(auction), bidAmount);

auction.bid(bidAmount);

// Attacker unbids before calling auctionEnd()

skip(biddingTime);

auction.unbid(bidAmount - 1);

auction.auctionEnd();

auction.claimTokens();

vm.stopPrank();

assertEq(fjordPoints.balanceOf(bidder), bidAmount - 1);

assertEq(auctionToken.balanceOf(bidder), 1000 ether);

}

Impact

Due to Solidity's truncation characteristics, when the auction price is sufficiently high, other users may be entirely unable to obtain the auctioned tokens, leading them to unbid their own tokens. This increases the attacker's profit margin further. With no buffer period for unbid, an attacker possessing a large number of points can exploit this to repeatedly attack various auctions.

Tools Used

Manual Review

Recommendations

Consider implementing a buffer period for unbid actions. During this buffer period, the points will remain locked in the contract and will not participate in the bidding. Users can retrieve their points after the buffer period or the auction's conclusion. Additionally, prohibit unbid actions a short time before the auction ends to prevent any last-moment tampering, ensuring the auction price is accurately represented toward its conclusion.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.