The user loses all points when block.timestamp equals auctionEndTime
Summary
If a user places a bid in the auction at block.timestamp == auctionEndTime, someone else can frontrun the bid() transaction by calling auctionEnd() first, resulting in the user losing their points.
Vulnerability Details
Consider the following scenario:
A user calls the
FjordAuction.bidfunction (placing a bid in the auction whenblock.timestamp == auctionEndTime).A frontrunner detects the transaction in the mempool and sends an
auctionEnd()transaction faster.As a result, the user's transaction is successfully processed, but the bid is placed in an already ended auction.
This issue occurs due to an incorrect check of whether the auction has ended.
Impact
The user ends up losing all their points as a result of the issue
Tools Used
Manual review
Recommendations
The AuctionNotYetEnded check needs to be updated as follows
Lead Judging Commences
Users can bid in the same block when the actionEnd could be called (`block.timestamp==actionEndTime`), depending on the order of txs in block they could lose funds
The protocol doesn't properly treat the `block.timestamp == auctionEndTime` case. Impact: High - There are at least two possible impacts here: 1. By chance, user bids could land in a block after the `auctionEnd()` is called, not including them in the multiplier calculation, leading to a situation where there are insufficient funds to pay everyone's claim; 2. By malice, where someone can use a script to call `auctionEnd()` + `bid(totalBids)` + `claimTokens()`, effectively depriving all good faith bidders from tokens. Likelihood: Low – The chances of getting a `block.timestamp == auctionEndTime` are pretty slim, but it’s definitely possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.