Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Fee-on-transfer tokens cause auction claim failure in FjordAuction

Japy69

Note to the judges

It is important to note that this issue is distinct from the known issue related to additional fees, which involves fees being passed on to users or affecting pricing dynamics. In contrast, this vulnerability results in some users being unable to claim their tokens at all, causing a partial loss of auction tokens.

Summary

The createAuction function in the FjordAuctionFactory.sol contract is vulnerable to an issue when fee-on-transfer tokens are used as the auction token. When such tokens are transferred, the auction contract receives fewer tokens than expected. This discrepancy leads to a mismatch between the recorded totalTokens and the actual balance in the contract, which eventually causes a denial-of-service (DoS) attack during the claim process for users and results in the permanent loss of some auction tokens.

Vulnerability Details

The createAuction function initializes a new auction by transferring a specified number of totalTokens from the auction creator to the newly created auction contract. However, if the auction token has a fee-on-transfer mechanism, the amount received by the auction contract will be less than the intended totalTokens. This discrepancy is not accounted for, as the totalTokens value is stored in the constructor and used in calculations throughout the auction.

Specifically, during the claim process, the multiplier is calculated using the recorded totalTokens, which is higher than the actual balance of the contract in this case.

multiplier = totalTokens.mul(PRECISION_18).div(totalBids);

As a result, when users attempt to claim their tokens, the contract may run out of tokens before all users have successfully claimed, causing the final claims to revert due to insufficient balance. This leads to a denial-of-service (DoS) for the last users attempting to claim their tokens and results in some auction tokens being permanently stuck in the contract.

function claimTokens() external {

if (!ended) {

revert AuctionNotYetEnded();

}

uint256 userBids = bids[msg.sender];

if (userBids == 0) {

revert NoTokensToClaim();

}

uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);

bids[msg.sender] = 0;

auctionToken.transfer(msg.sender, claimable); //The function reverts here if not enough balance

emit TokensClaimed(msg.sender, claimable);

}

Impact

Denial-of-Service (DoS) for Users: The last users attempting to claim their tokens may face a revert, preventing them from receiving their auction tokens.
Loss of Auction Tokens: Some tokens may become permanently stuck in the contract, leading to a loss of value for users or the protocol.

Tools Used

Manual code review

Recommendations

To mitigate this issue, it is recommended to replace this in AuctionToken:

multiplier = totalTokens.mul(PRECISION_18).div(totalBids);

By this:

multiplier = auctionToken.balanceOf(address(this)).mul(PRECISION_18).div(totalBids);

In the same time, the totalTokens variable can be deleted.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.