Auction tokens can become permanently locked in the FjordAuctionFactory contract if no bids are placed
Summary
If an auction concludes without any bids, the auction tokens are transferred to the owner address, which is set to the FjordAuctionFactory contract. This can result in tokens becoming permanently locked in the factory contract, as there is no mechanism to retrieve them.
Vulnerability Details
In FjordAuction.sol, the contract's owner is set to the msg.sender in the constructor, which is the FjordAuctionFactory contract:
If the auction ends with no bids, all auction tokens are transferred to the owner address:
The FjordAuctionFactory contract lacks functionality to withdraw or redistribute these tokens, effectively locking them in the contract permanently.
Impact
This vulnerability can lead to permanent loss of tokens for project creators if their auction receives no bids.
Tools Used
Manual
Recommendations
Add a
beneficiaryparameter to thecreateAuctionfunction inFjordAuctionFactory.Pass this beneficiary address to the
FjordAuctionconstructor.Update the
FjordAuctioncontract to use thisbeneficiaryaddress instead ofownerwhen transferring tokens in case of no bids.
Lead Judging Commences
If no bids are placed during the auction, the `auctionToken` will be permanently locked within the `AuctionFactory`
An auction with 0 bids will get the `totalTokens` stuck inside the contract. Impact: High - Tokens are forever lost Likelihood - Low - Super small chances of happening, but not impossible
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.