Some auctionTokens will be permanently stuck in FjordAuction.sol due to a lack of a "dust collector" function.
Summary
Due to precision loss from solidity division, the amount that is sent to users via the claimTokens() function will always be rounded down. Although the amount that is lost can be small, the claimTokens() functions could easily be called thousands to tens of thousands of times, and at scale the amount of auctionTokens that end up stuck in the FjordAuction contract could be significant. In such a scenario, it is beneficial to have a methodology to withdrawal the cumulative sum of the dust that ends up in the contract due to precision loss.
Vulnerability Details
The claimable variable in the claimTokens() function will always round down for every call made by a user. Therefore, extra auctionTokens will start to build up in the FjordAuction contract with calls to claimTokens(). These leftover auctionTokens will be permanently stuck in the contract due to a lack of a dust collector function to remove the leftover auctionTokens.
Impact
Valuable tokens could be permanently stuck in the FjordAuction contract with no way to retrieve them.
Tools Used
Manual Review
Recommendations
Add a dust collector function
Lead Judging Commences
FjordAuction doesn't handle the dust remained after everyone claimed
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.