Fjord Token Staking

Summary

The FjordAuction::bid allows users to place bids using FjordPoints tokens, with bids immediately recorded and visible on the blockchain. Adversaries can monitor the transaction pool (mempool) and influence the auction's outcome by strategically placing and withdrawing bids, affecting perceived value and demand.

Link: https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L143C5-L153C6

Vulnerability Details

Impact

Let's consider this scenario.

• _totalTokens = 1000

• _biddingTime = 300 sec (= 5 days)

• Carol: initially bids 100 FjordPointson day 1

• Alice: bids 200 FjordPoints on day 1

• Bob: bids 200 FjordPoints on day 3

• Carol: bids more 500 FjordPointson day 4 after seeing the bids from Alice and Bob, to increment her shares. Now she has 600 FjordPointson bids.

• We suppose no other bids will be placed before the end of the auction.

Case 1: Carol places only the first bid.

• multiplier= 1000 / (200+200+100) = 2

• Carol: claims 100 * 2 = 200 (=20%)

• Alice: claims 200 * 2= 400 (=40%)

• Bob: claims 200 * 2= 400 (=40%)

Case 2: Carol monitors the mempool and places also the second bid.

• multiplier= 1000 / (200+200+600) = 1

• Carol: claims 600 * 1 = 600 (=60%)

• Alice: claims 200 * 1 = 200 (=20%)

• Bob: claims 200 * 1 = 200 (=20%)

Carol front-run the system, monitoring the mempool, she exploits the transparency of bids to make a strategic decision, adding new a bid based on the visible bids of Alice and Bob.

Tools Used

Manual review

Recommendations

Implementing a commit-reveal scheme would mitigate these issues by ensuring bids remain confidential until the auction concludes.