Fjord Token Staking

Summary

The claimTokens function allows users to claim their tokens after an auction has ended, based on their bids and a predefined multiplier. However, if the user is blacklisted, the function fails to transfer the claimable tokens to the user. This situation can result in a denial of service (DoS) for blacklisted users, preventing them from retrieving their rightful tokens.

Vulnerability Details

The auctionToken.transfer function is responsible for transferring the calculated claimable tokens to the user. If the token contract enforces a blacklist, where certain addresses are blocked from receiving transfers, any blacklisted user who calls claimTokens will not receive their tokens. The function will execute without errors but will fail to transfer tokens, leaving the claimable amount in limbo and setting the user's bid balance to zero.
The root cause of this is the lack of a mechanism to handle scenarios where auctionToken.transfer fails due to blacklist restrictions. The contract assumes that all transfers will succeed, which is not the case when a blacklist is enforced.

Impact

Blacklisted users are unable to claim their tokens, leading to potential financial losses. Even though their bid amounts are reset to zero, they do not receive the corresponding tokens. This creates an unfair scenario where certain users are denied access to their rightful assets, which could lead to legal or reputational issues for the platform.

Tools Used

Manual Review

Recommendations

Introduce a mechanism to detect if the auctionToken.transfer call fails. If the transfer fails, the contract should either: Revert the entire transaction, ensuring that the user's bid balance remains intact or store the claimable amount in a separate escrow or reserve, allowing the user to claim it through alternative means, such as by appealing the blacklist or claiming after removal from the blacklist.