Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Sweep Function for Residual Tokens in FjordAuction Contract, could lead to a small about of tokens being stuck in the contract forever

yovchevyoan

Summary

The FjordAuction contract suffers from precision loss during token distribution, resulting in small amounts of auction tokens being trapped in the contract. The absence of a sweep function to recover these residual tokens leads to permanent loss of value and reduced efficiency in token distribution.

Vulnerability Details

The vulnerability stems from the token distribution mechanism in the FjordAuction contract. Specifically, in the claimTokens function:

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L217

Impact

The impact of this vulnerability is moderate:

Lost Value: Small amounts of tokens become permanently trapped in the contract, reducing the overall value distributed to auction participants.
Reduced Efficiency: The auction fails to distribute 100% of the intended tokens, slightly diminishing its effectiveness.

Tools Used

Manual Review

Recommendations

Implement the following changes:

Add a sweep function to the FjordAuction contract that allows the recovery of residual tokens after the auction ends:

```solidity

function sweepTokens(address recipient) external onlyOwner {
require(ended, "Auction not ended");
uint256 balance = auctionToken.balanceOf(address(this));
require(balance > 0, "No tokens to sweep");
auctionToken.transfer(recipient, balance);
emit TokensSwept(recipient, balance);
}

```
Implement access control for the sweep function, restricting it to the contract owner or a designated admin role.
Add a time lock or a minimum waiting period after the auction ends before the sweep function can be called, ensuring all participants have had a chance to claim their tokens.
Consider implementing a more precise distribution algorithm that accounts for and minimizes rounding errors, possibly by distributing the remainder to the last claimer or proportionally to all participants.
Add events to log the initial token amount, total distributed amount, and any swept amount for transparency.

```

event AuctionFinalized(uint256 totalTokens, uint256 distributedTokens);
event TokensSwept(address recipient, uint256 amount);

```

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

FjordAuction doesn't handle the dust remained after everyone claimed

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.