Absence of SafeERC20 Usage in `FjordAuctionFactory` and `FjordAuction` Contracts
Summary
The FjordAuctionFactory and FjordAuction contracts interact with ERC20 tokens without using OpenZeppelin's SafeERC20 library. This could possibly lead to failed transfers. For better safety use the SafeERC20 library.
Vulnerability Details
In both FjordAuctionFactory and FjordAuction contracts, ERC20 token interactions are performed using direct calls to the token contracts, rather than using the SafeERC20 library. For example:
In FjordAuctionFactory:
In FjordAuction:
Impact
This could lead to failed or inconsistent transfers.
Tools Used
Manual Review
Recommendations
Implement the following changes:
-
Import and use OpenZeppelin's SafeERC20 library for both contracts:
```solidityimport "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
``` -
Apply the library to all ERC20 interactions. For example, in FjordAuctionFactory:
```solidity
using SafeERC20 for IERC20;// In createAuction function:
IERC20(auctionToken).safeTransferFrom(msg.sender, auctionAddress, totalTokens);```
-
In FjordAuction, update all token interactions:
```solidity
using SafeERC20 for IERC20;
using SafeERC20 for ERC20Burnable;// In bid function:
fjordPoints.safeTransferFrom(msg.sender, address(this), amount);// In claimTokens function:
auctionToken.safeTransfer(msg.sender, claimable);```
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.