Inconsistent comparations between FjordAuction functions allows to bid on ended auctions
Summary
Inconsistent comparations between FjordAuction functions allows to bid on ended auctions because comparations between block.timestamp and auctionEndTime differs from bid method and auctionEnd method
Vulnerability Details
Contract considers that an auction has ended if block.timestamp >= auctionEnd
However, users can bid and unbid for an action even when block.timestamp == auctionEndTime.
This is because this functions reverts if block.timestamp > auctionEndTime, but it should revert when block.timestamp == auctionEndTime too:
So, this allows users monitoring mempools to bid (and frontrun auctionEnd() calls) on empty auction that recently ends, ensuring he will obtain all auctioned tokens, even when the auction just finished, breaking code invariants
Impact
Loss of funds
Tools Used
Manual Review
Recommendations
So bid and unbid should check block.timestamp >= auctionEndTime:
Lead Judging Commences
Users can bid in the same block when the actionEnd could be called (`block.timestamp==actionEndTime`), depending on the order of txs in block they could lose funds
The protocol doesn't properly treat the `block.timestamp == auctionEndTime` case. Impact: High - There are at least two possible impacts here: 1. By chance, user bids could land in a block after the `auctionEnd()` is called, not including them in the multiplier calculation, leading to a situation where there are insufficient funds to pay everyone's claim; 2. By malice, where someone can use a script to call `auctionEnd()` + `bid(totalBids)` + `claimTokens()`, effectively depriving all good faith bidders from tokens. Likelihood: Low – The chances of getting a `block.timestamp == auctionEndTime` are pretty slim, but it’s definitely possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.