Summary

The bid function in the FjordAuction contract does not verify the return value of the transferFrom function call to the FjordPoints contract. This oversight will allow a malicious actor to place bids without actually transferring tokens, potentially leading to a loss of funds and compromise of the auction integrity.

Vulnerability Details

In the bid function of the FjordAuction contract, the following line is problematic:

This function call is not checked for its return value. According to the ERC20 standard, transferFrom should return a boolean indicating the success or failure of the transfer. By not checking this return value, the contract assumes the transfer was successful, even if it wasn't.

A malicious contract could implement a transferFrom function that always returns true without actually transferring any tokens

If such a contract interacts with the FjordAuction contract, it will place bids without actually transferring any FjordPoints, as the auction contract would not detect the failed transfer.

Impact

1 : The auction could distribute rewards based on bids that were never actually backed by token transfers.

2: An attacker could place arbitrarily large bids without any cost, potentially manipulating the auction outcome.

3: Unfair Advantage: Malicious actors could outbid honest participants without actually staking any tokens.

Tools Used

manual review

Recommendations

1: Always check the return value of transferFrom

2: Alternatively, use OpenZeppelin's SafeERC20 library, which provides a safeTransferFrom function that handles this check internally:

3: Implement additional checks to ensure the contract's token balance increases by the expected amount after the transfer.

4: Consider using a pull payment system instead of push payments to mitigate risks associated with failed transfers.