Fjord Token Staking

Vulnerability Details

In FjordAuction the users bid by sending fjordPoints to the contract to claim auctionToken, as long as they see it as a profitable trade. Since the amount of auctionToken received is inversely proportional to the total fjordPoints bidded (the more fjordPoints in the auction contract the less auctionToken received), users how bid need to track exactly how much they will earn and they have the ability to unbid anytime if they see it unprofitable anymore.

The problem is that bid() function has no bid extention time, if users bid at last time some users will not notice this bids, and will end up recieving less than they wish.

Proof of Concept

• Auction starts with 10 auctionToken.

• There are 9 total fjordPoints bidded.

• UserA sees that 1 auction token worth 1 fjordPoint.

• UserA bidded 1 fjordPoint.

• Now total fjordPoint bidded is 10 same as auctionToken amount, and for each fjordToken you will recive 1 auctionToken (what UserA wants)

• UserB sees that 1 fjordPoint worth less than 1 auctionToken.

• UserB bids 1 fjordPoint (he saw it as profitable), but at the last time.

• UserA didn't noticed about this bid.

• Auction ends.

• UserA will receive less than he expected and will be like a lose to him.

The idea here is that UserA would have unbidded in case he noticed that UserB bidded, but because the auctionEndTime did not extended when UserB bids, UserA will not be able to unbid his bid which si unprofitabel to him.

Impact

Lossy Bidding for some users in some situations

Tools Used

Manual Review

Recommendations

implement a bid time extention when bidding.