Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unclaimed tokens Post-Auction (in `FjordAuction`) are lost and this affects the tokenomics of the project

elpadrino25

Summary

In the FjordAuction contract, after the auction ends, users who participated in the bidding can claim their auction tokens using the claimTokens() function. However, there is no mechanism to deal with unclaimed tokens if some users fail to claim them. As a result, these unclaimed tokens will remain locked in the contract indefinitely.

Vulnerability Details

There is no mechanism to handle unclaimed tokens after the auction has ended. If some users do not claim their tokens, those tokens will remain locked in the contract indefinitely.

  • Locked Tokens: If users do not claim their tokens, these tokens are essentially locked in the contract and cannot be used or redistributed, reducing the circulating supply of auctionToken.

  • Economic Impact: The reduction in the circulating supply of auctionToken may have unintended consequences on the tokenomics of the project, potentially affecting liquidity, token value, and overall market behavior.

Impact

Locked tokens are effectively lost, reducing the supply of auctionToken and possibly affecting the tokenomics of the project.

Tools Used

Manual Review

Recommendations

Implement a deadline for token claims after which unclaimed tokens can be retrieved by the auction owner or redistributed.
The implementation could be as follows:

/**
* @notice Allows users to claim their tokens after the auction has ended.
* @dev Users have a limited time to claim their tokens. After the deadline,
* the owner can reclaim or redistribute unclaimed tokens.
*/
function claimTokens() external {
if (!ended) {
revert AuctionNotYetEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoTokensToClaim();
}
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
bids[msg.sender] = 0;
auctionToken.transfer(msg.sender, claimable);
emit TokensClaimed(msg.sender, claimable);
}
/**
* @notice Reclaims unclaimed tokens after a certain period post-auction.
* @dev The owner can call this function to reclaim any unclaimed tokens
* after the specified claim deadline has passed.
*/
function reclaimUnclaimedTokens() external onlyOwner {
// Ensure that the auction has ended and the claim period has passed
if (!ended) {
revert AuctionNotYetEnded();
}
if (block.timestamp < auctionEndTime + claimPeriod) {
revert ClaimPeriodNotYetEnded();
}
// Calculate the total unclaimed tokens
uint256 unclaimedTokens = auctionToken.balanceOf(address(this));
// Transfer unclaimed tokens back to the owner or designated wallet
auctionToken.transfer(owner, unclaimedTokens);
emit UnclaimedTokensReclaimed(owner, unclaimedTokens);
}

  • reclaimUnclaimedTokens() Function:

After the auction has ended and the claim period has passed, the auction owner can call this function to reclaim any unclaimed tokens.

The function checks that the auction has ended and that the current time is beyond the claim period.

It then calculates the remaining tokens in the contract and transfers them to the owner, ensuring that no tokens are left locked in the contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.