Submission Details
Severity:
Missing validation for an important constructor parameter
Summary
Missing validation for an important constructor parameter
Vulnerability Details
After diving into the FjordAuction contract in FjordAuction.sol we can see that the contract has a constructor which takes 4 parameters.
/**
* @dev Sets the token contract address and auction duration.
* @param _fjordPoints The address of the FjordPoints token contract.
* @param _biddingTime The duration of the auction in seconds.
* @param _totalTokens The total number of tokens to be auctioned.
*/
constructor(
address _fjordPoints,
address _auctionToken,
uint256 _biddingTime,
uint256 _totalTokens
) {
if (_fjordPoints == address(0)) {
revert InvalidFjordPointsAddress();
}
if (_auctionToken == address(0)) {
revert InvalidAuctionTokenAddress();
}
fjordPoints = ERC20Burnable(_fjordPoints);
auctionToken = IERC20(_auctionToken);
owner = msg.sender;
auctionEndTime = block.timestamp.add(_biddingTime); // @audit
totalTokens = _totalTokens;
}
The uint256 variable _biddingTime which is the duration of the auction in seconds is not checked if it is 0 or a value that is inadequate.
Impact
An auction with incorrect duration can be created.
Tools Used
Manual Review
Recommendations
Create an if statement which checks if _biddingTime is more than 0 or the minimum duration for an auction that the protocol requires. Example:
if (_biddingTime == 0) {
revert InvalidBiddingTime();
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.