Submission Details
Severity:
Insufficient Parameter Validation in Auction Creation
Vulnerability Details:
The createAuction function lacks proper validation for its input parameters. This could lead to the creation of auctions with unintended or potentially harmful settings.
Impact:
Auctions could be created with extremely short bidding times, unreasonably large token amounts, or other problematic parameters, potentially leading to unfair auctions or system abuse.
Proof of Concept:
function createAuction(
address auctionToken,
uint256 biddingTime,
uint256 totalTokens,
bytes32 salt
) external onlyOwner {
// No validation of biddingTime or totalTokens
address auctionAddress = address(
new FjordAuction{ salt: salt }(fjordPoints, auctionToken, biddingTime, totalTokens)
);
// ...
}
Tools Used: Manual review
Recommendations:
-
Implement parameter validation:
function createAuction(address auctionToken,uint256 biddingTime,uint256 totalTokens,bytes32 salt) external onlyOwner {require(auctionToken != address(0), "Invalid auction token");require(biddingTime >= MIN_BIDDING_TIME && biddingTime <= MAX_BIDDING_TIME, "Invalid bidding time");require(totalTokens > 0 && totalTokens <= MAX_TOTAL_TOKENS, "Invalid total tokens");// ... rest of the function ...} -
Consider implementing upper and lower bounds for
biddingTimeandtotalTokens.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.