Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

If a Auction ended with `Bids==0` then funds will be locked in Factory contract

0xhacksmithh

Summary

Vulnerability Details

So There is a function auctionEnd()which will called after auctionTime end

If a situation came where there is no Bid or net `Bid == 0`, for any Perticular Auction, then all funds will redirect to `Owner` in that case

function auctionEnd() external {
if (block.timestamp < auctionEndTime) {
revert AuctionNotYetEnded();
}
if (ended) {
revert AuctionEndAlreadyCalled();
}
ended = true;
emit AuctionEnded(totalBids, totalTokens);
if (totalBids == 0) {
auctionToken.transfer(owner, totalTokens); // @audit-issue
return;
}
multiplier = totalTokens.mul(PRECISION_18).div(totalBids);
// Burn the FjordPoints held by the contract
uint256 pointsToBurn = fjordPoints.balanceOf(address(this));
fjordPoints.burn(pointsToBurn);
}

In this case owner is Factory Contractas per constuctor

I believe here msg.senderis `FjordAuctionFactory` contract

To check this i preform a test on Remix, this is the simplest form of FjordAuctionFactoryand FjordAuctioncontract, only purpose to check Owners here

// SPDX-License-Identifier: AGPL-3.0-only
pragma solidity =0.8.21;
contract FjordAuction {
/// @notice The owner of the auction contract.
address public owner;
constructor(
) {
owner = msg.sender;
}
}
// SPDX-License-Identifier: AGPL-3.0-only
pragma solidity =0.8.21;
import "./Auction.sol";
contract AuctionFactory {
address public owner;
address public deployedAdd;
constructor() {
owner = msg.sender;
}
function createAuction(
bytes32 salt
) external {
deployedAdd = address(
new FjordAuction{ salt: salt }()
);
}
}

So Results are

Wallet address used = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4

AuctionFactory address = 0xd7Ca4e99F7C171B9ea2De80d3363c47009afaC5F

Salt used = 0x7465737400000000000000000000000000000000000000000000000000000000

Deployed Auction address = 0x3Cc7DdeaF7c56C706c40EEc44A3e349aD1fF7710

Owner address in Auction contract = 0xd7Ca4e99F7C171B9ea2De80d3363c47009afaC5F

So It clearly demonstrate that Owner in case of Auction contract is FjordAuctionFactory contract and in case of Auction failure token send to this address.

And problem is here no implementation to extract those funds from that FjordAuctionFactory contract

Links

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L192

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuctionFactory.sol#L59

Tools Used

Remix, vsCode

Recommendations

Add below function to FjordAuctionFactory.sol

function extractERC20(IERC20 token, address recipient) external onlyOwner {
uint256 balance = token.balanceOf(address(this)); // Get the contract's token balance
require(balance > 0, "Contract has no tokens");
token.transfer(recipient, balance); // Transfer all tokens to the recipient
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

If no bids are placed during the auction, the `auctionToken` will be permanently locked within the `AuctionFactory`

An auction with 0 bids will get the `totalTokens` stuck inside the contract. Impact: High - Tokens are forever lost Likelihood - Low - Super small chances of happening, but not impossible

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.