Locked tokens in FjordAuctionFactory
Summary
Possible locked auction tokens in FjordAuctionFactory contract.
Vulnerability Details
On line https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L193
auctionToken.transfer sends to the owner of the contract.
Owner of the contract is set in the constructor, which is the FjordAuctionFactory contract. (https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L134)
In the case of totalBids==0 then totalTokens will be sent to the FjordAuctionFactory contract and will be locked.
Thus making the owner of FjordAuctionFactory contract lose it auctionTokens.
Impact
TotalTokens will be locked in the FjordAuctionFactory contract and will be stuck there forever.
Tools Used
manual review
Recommendations
Add another immutable state variable "tokensReceiver" which is asigned in the constructor. Use it as transfer receiver when totalBids==0.
Lead Judging Commences
If no bids are placed during the auction, the `auctionToken` will be permanently locked within the `AuctionFactory`
An auction with 0 bids will get the `totalTokens` stuck inside the contract. Impact: High - Tokens are forever lost Likelihood - Low - Super small chances of happening, but not impossible
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.