Fjord Token Staking

Summary

FjordTokens amount paid for the auction is sent to the FjordAuctionFactory if no bidders, and there is no way to get them back.

Vulnerability Details

We are using FjordAuctionFactory to create auctions, where the owner of the FjordAuctionFactory is the one who can create auctions.

Since the Factory is the contract that deploys new auctions, the msg.sender in the constructor of the new FjordAuction contract created is the address of the FjordAuctionFactory.

FjordAuctionFactory.sol#L58-L60

This will result in creating new FjordAuction, and when creating new Auction we are setting the owner into msg.sender, i.e the owner of that specific auction now is the FjordAuctionFactory

FjordAuction.sol#L134

Now if there are no Bidders for that auction we are sending auctionToken (Fjord token) back to the owner, which is the FjordAuctionFactory.

FjordAuction.sol#L192-L195

Now these tokens that are returned back will get lost forever, as there is no possible way to transfer them from FjordAuctionFactory.

FjordAuctionFactory doesn't implement any function that allows the Factory owner to take these tokens. so this will result in Fjord tokens getting stuck in the factory contact.

Proof of Concept

• A new Auction is about to start.

• Factory owner created the auction.

• Auction owner is the Factory contract.

• Auction ends with no bidders.

• Ending the auction by calling auctionEnd().

• Transferring tokens back to the Auction owner, which is the Factory contract.

• Permanent stuck of tokens in Factory contract and no one will be able to recover them back.

Impact

Permanent lock/freeze of funds.

Tools Used

Manual Review

Recommendations

Implement a function to recover tokens from the Factory and sending them back to the Factory owner.