Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

No Withdrawal After Auction End

asar

Summary

Once the auction ends, users can no longer withdraw their bids, even if they do not win any tokens (e.g., if the total number of bids is zero). This could result in locked funds if users bid but don't receive any tokens.

Vulnerability Details

users who place bids but do not win any tokens (e.g., if there are no tokens left for distribution or if their bid does not entitle them to any tokens) are unable to withdraw their FjordPoints after the auction ends. This could result in locked funds for participants who didn't win any tokens, which could be seen as unfair and lead to frustration.

Impact

Tools Used

Recommendations

Allow users to withdraw their bids after the auction ends if they haven't claimed any tokens.

You can achieve this by modifying the claimTokens function to allow users to withdraw their FjordPoints if they don't receive any tokens. Here's how you can implement it:

1 Track Claimed Status: Add a mapping to track whether a user has already claimed their tokens or not. This will allow users who haven't received any tokens to withdraw their FjordPoints after the auction ends.

mapping(address => bool) public hasClaimed;

2 Modify the claimTokens Function: Adjust the claimTokens function to allow users to withdraw their bids if their claimable amount is zero. This ensures that users can recover their FjordPoints if they didn't receive any tokens.

function claimTokens() external {
if (!ended) {
revert AuctionNotYetEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoTokensToClaim();
}
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
if (claimable > 0) {
// Transfer the auction tokens
auctionToken.transfer(msg.sender, claimable);
emit TokensClaimed(msg.sender, claimable);
} else {
// If claimable is zero, allow the user to withdraw their FjordPoints
fjordPoints.transfer(msg.sender, userBids);
emit BidWithdrawn(msg.sender, userBids);
}
// Mark the user as having claimed
hasClaimed[msg.sender] = true;
// Reset user's bid to zero
bids[msg.sender] = 0;
}

3 Ensure Withdrawals Work for All Scenarios: Consider adding a separate function that users can call to withdraw their bids if they haven't claimed any tokens. This function would be useful in scenarios where they decide not to claim tokens and would prefer to retrieve their FjordPoints instead

function withdrawAfterAuction() external {
if (!ended) {
revert AuctionNotYetEnded();
}
if (hasClaimed[msg.sender]) {
revert NoBidsToWithdraw();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoBidsToWithdraw();
}
fjordPoints.transfer(msg.sender, userBids);
bids[msg.sender] = 0;
hasClaimed[msg.sender] = true;
emit BidWithdrawn(msg.sender, userBids);
}

hasClaimed Mapping: This keeps track of whether a user has claimed their tokens or withdrawn their bid. It prevents users from claiming tokens multiple times or withdrawing after claiming tokens.

Zero Claimable Handling: If the user has no tokens to claim (i.e., their claimable amount is zero), they are allowed to withdraw their FjordPoints instead.

Separate Withdrawal Function: Providing a separate function ensures that users can manually withdraw their bids if they choose not to claim any tokens after the auction ends.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.