Vulnerability Details

in the createAuction function in the AuctionFactory contract, there is a logic issue:

The function transfers totalTokens from the msg.sender to the newly created auction contract. However, there's no check to ensure that msg.sender has approved the AuctionFactory contract to spend these tokens on their behalf.

This could lead to the transaction failing if the msg.sender hasn't given sufficient allowance to the AuctionFactory contract for the auctionToken.

To fix this, we should:

1. Either require the msg.sender to approve the AuctionFactory before calling createAuction.

2. Or, implement a two-step process where the auction is created first, and then the tokens are transferred directly to the auction contract by the auction creator.

This issue could prevent auctions from being created successfully, even when all other parameters are correct.

Impact

1. The AuctionFactory contract doesn't have any mechanism to receive approval for token transfers.

2. The createAuction function assumes it can transfer tokens on behalf of the msg.sender.

Impact and PoC:

1. Alice deploys the AuctionFactory contract.

2. Alice approves the AuctionFactory to spend her tokens (this step is not in the contract but necessary).

3. Alice calls createAuction with valid parameters.

4. The function creates a new FjordAuction contract.

5. The function attempts to transfer tokens from Alice to the new auction contract.

6. This transfer will fail if Alice hasn't approved the AuctionFactory to spend her tokens.

7. The entire transaction reverts, preventing the auction from being created.

This bug effectively renders the createAuction function unusable, as it will always revert unless the caller has manually approved the AuctionFactory contract beforehand. This breaks the expected workflow of the system and prevents new auctions from being created, significantly impacting the core functionality of the project.

Tools Used

Manual review