Fjord Token Staking

Summary

A whale can cheat the auction system/mechanism

Vulnerability Details

The issue lies in the fact that there is a window when you can call unbid() https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L159-L160 & auctionEnd() https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L181-L182 because of the implementation of the revert key word where they can both be called exactly at auctionEndTime . This can make a whale or someone with relatively high capital manipulate this implementation. Let's look at this instance

New auction is created, whale bids with 1 million points this automatically incentivizes every other person or most people from joining that auction but that's fair, as the protocol gets the bid(1 million points) , so at the end of the auction the whale is expected to have most of the tokens being bidded.

So exactly at auctionEnd() they call unbid() and unbid a significant amount of points (with the knowledge that they will still have the majority share of the tokens in the contract) and quickly goes ahead to call auctionEnd() which sets the multiplier using the current totalbid https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L197 (hence ensuring he still has majority share of tokens being bidded) then goes ahead to claim tokens. https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L217-L218

(NB. this can be done with a bot and can be very quick)

Impact

Protocol loses a lot of value through manipulation.

Tools Used

Manual Review

Recommendations

I don't have a clear recomendation now with the current implemenation that does not introduce new edges