Fjord Token Staking

Summary

In FjordAuction.sol, the multiplier variable is used to calculate how many tokens a user should receive per the amount of tokens that they deposited. If a user has deposited a small amount and the multiplier is small, then they will lose all of their funds due to precision loss when they call claimToken.

Vulnerability Details

In the auctionEnd() method, the multiplier is calculated by expanding out the totalTokens by 18 decimals spots and then dividing by the totalBids. This multiplication is done to avoid precision loss from dividing by totalBids. The division is done to get the amount of tokens a user should be able to claim per the amount of bid they have placed.

The claimTokens() function is used by users to claim the amount of auctionToken they are owed after the auctionEnds. The amount of auctionTokens a user is owed is calculated by multiplying the amount that the user has deposited in bids by the multiplier, and the dividing by PRECISION_18 to undo the expansion that happened before.

The problem with this is that if the amount that the user has deposited is small, and the multiplier is also small, there is a fair chance that userBid * multiplier will be smaller than PRECISION_18. Then the result of dividing by PRECISION_18 will cause claimable to be 0 due to precision loss. In such a scenario, the user will not receive any tokens, even though they placed a bid, because the amount of auctionToken that is transferred will be 0. The multiplier will be small in situations where total number of auction tokens is small relative to the total amount of bids. This can happen in situations where the auction token is considered very valuable, leading to users placing many bids.

Note that SafeMath does not protect against precision loss.

Impact

Users who made deposits will lose their bids and not receive any auctionTokens.

Tools Used

Manual Review

Recommendations

Place a minimum deposit amount in bid() so that the chance of precision loss is low.