When an auction is created using the AuctionFactory
contract, the FjordAuction
contract assigns the Factory contract as its owner. If the auction ends with no bids, the auction tokens are returned to the Factory contract, which results in the tokens being stuck there with no mechanism to retrieve them.
When the owner of the AuctionFactory
contract creates an auction using the createAuction
function, a new FjordAuction
contract is deployed. This new auction contract sets the msg.sender
(the Factory contract) as its owner. Consequently, the Factory contract becomes the owner of the auction contract.
When the auction ends without any bids, the auction tokens are transferred back to the owner of the contract, which is the Factory contract. Since the Factory contract lacks a mechanism to recover these tokens, they remain permanently stuck.
The funds become irretrievable, effectively getting stuck in the Factory contract.
Add the following code snippet to the auction.t.sol
file, and import the Factory contract into the same file. This PoC demonstrates how the auction contract assigns the Factory contract's address as its owner, instead of the EOA (Externally Owned Account) that owns the Factory contract.
Manual analysis.
To prevent this issue, pass an owner
address parameter to the auction contract during its creation and assign this address as the owner instead of using msg.sender
.
An auction with 0 bids will get the `totalTokens` stuck inside the contract. Impact: High - Tokens are forever lost Likelihood - Low - Super small chances of happening, but not impossible
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.