Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

User can bid 0 amount of FjordPoints

preslavxyz

Summary

User can bid 0 amount of FjordPoints

Vulnerability Details

Proof of Concept

Add the following test named testBidWithZeroAmount to the auction.t.sol file in test/unit/auction.t.sol. Run with forge test --mt testBidWithZeroAmount -vvvvv

function testBidWithZeroAmount() public {
address bidder = address(0x2);
uint256 bidAmount = 0 ether;
deal(address(fjordPoints), bidder, bidAmount);
vm.startPrank(bidder);
fjordPoints.approve(address(auction), bidAmount);
auction.bid(bidAmount);
vm.stopPrank();
assertEq(auction.bids(bidder), bidAmount);
assertEq(fjordPoints.balanceOf(bidder), 0);
assertEq(fjordPoints.balanceOf(address(auction)), bidAmount);
}

Test result:

[⠆] Compiling...
No files changed, compilation skipped
Ran 1 test for test/unit/auction.t.sol:TestAuction
[PASS] testBidWithZeroAmount() (gas: 209342)
Traces:
[2357457] TestAuction::setUp()
├─ [640965] → new <unknown>@0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f
│ └─ ← [Return] 2971 bytes of code
├─ [640965] → new <unknown>@0x2e234DAe75C793f67A35089C9d99245E1C58470b
│ └─ ← [Return] 2971 bytes of code
├─ [696022] → new FjordAuction@0xF62849F9A0B5Bf2913b396098F7c7019b51A820a
│ └─ ← [Return] 2921 bytes of code
├─ [2585] 0x2e234DAe75C793f67A35089C9d99245E1C58470b::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::record()
│ └─ ← [Return]
├─ [585] 0x2e234DAe75C793f67A35089C9d99245E1C58470b::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::accesses(0x2e234DAe75C793f67A35089C9d99245E1C58470b)
│ └─ ← [Return] [0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4], []
├─ [0] VM::load(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ emit WARNING_UninitedSlot(who: 0x2e234DAe75C793f67A35089C9d99245E1C58470b, slot: 80968072468595249569429572020660537964889912396784024266971625447429208732132 [8.096e76])
├─ [0] VM::load(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [585] 0x2e234DAe75C793f67A35089C9d99245E1C58470b::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::store(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4, 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)
│ └─ ← [Return]
├─ [585] 0x2e234DAe75C793f67A35089C9d99245E1C58470b::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 115792089237316195423570985008687907853269984665640564039457584007913129639935 [1.157e77]
├─ [0] VM::store(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4, 0x0000000000000000000000000000000000000000000000000000000000000000)
│ └─ ← [Return]
├─ emit SlotFound(who: 0x2e234DAe75C793f67A35089C9d99245E1C58470b, fsig: 0x70a0823100000000000000000000000000000000000000000000000000000000, keysHash: 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4, slot: 80968072468595249569429572020660537964889912396784024266971625447429208732132 [8.096e76])
├─ [0] VM::load(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [0] VM::store(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 0xb3024e141922907eb80bf787d622b0c592108908135c35e38e6ebb7d5636f1e4, 0x00000000000000000000000000000000000000000000003635c9adc5dea00000)
│ └─ ← [Return]
├─ [585] 0x2e234DAe75C793f67A35089C9d99245E1C58470b::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 1000000000000000000000 [1e21]
└─ ← [Stop]
[266943] TestAuction::testBidWithZeroAmount()
├─ [2585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::record()
│ └─ ← [Return]
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::accesses(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f)
│ └─ ← [Return] [0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569], []
├─ [0] VM::load(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ emit WARNING_UninitedSlot(who: 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, slot: 77676537065960878698898692042018114106337750925255485067533933387271373890921 [7.767e76])
├─ [0] VM::load(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::store(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569, 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)
│ └─ ← [Return]
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 115792089237316195423570985008687907853269984665640564039457584007913129639935 [1.157e77]
├─ [0] VM::store(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569, 0x0000000000000000000000000000000000000000000000000000000000000000)
│ └─ ← [Return]
├─ emit SlotFound(who: 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, fsig: 0x70a0823100000000000000000000000000000000000000000000000000000000, keysHash: 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569, slot: 77676537065960878698898692042018114106337750925255485067533933387271373890921 [7.767e76])
├─ [0] VM::load(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569) [staticcall]
│ └─ ← [Return] 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [0] VM::store(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f, 0xabbb5caa7dda850e60932de0934eb1f9d0f59695050f761dc64e443e5030a569, 0x0000000000000000000000000000000000000000000000000000000000000000)
│ └─ ← [Return]
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::startPrank(SHA-256: [0x0000000000000000000000000000000000000002])
│ └─ ← [Return]
├─ [4752] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::approve(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a], 0)
│ ├─ emit Approval(owner: SHA-256: [0x0000000000000000000000000000000000000002], spender: FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a], value: 0)
│ └─ ← [Return] true
├─ [18912] FjordAuction::bid(0)
│ ├─ [7729] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::transferFrom(SHA-256: [0x0000000000000000000000000000000000000002], FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a], 0)
│ │ ├─ emit Approval(owner: SHA-256: [0x0000000000000000000000000000000000000002], spender: FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a], value: 0)
│ │ ├─ emit Transfer(from: SHA-256: [0x0000000000000000000000000000000000000002], to: FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a], value: 0)
│ │ └─ ← [Return] true
│ ├─ emit BidAdded(bidder: SHA-256: [0x0000000000000000000000000000000000000002], amount: 0)
│ └─ ← [Stop]
├─ [0] VM::stopPrank()
│ └─ ← [Return]
├─ [517] FjordAuction::bids(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::assertEq(0, 0) [staticcall]
│ └─ ← [Return]
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(SHA-256: [0x0000000000000000000000000000000000000002]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::assertEq(0, 0) [staticcall]
│ └─ ← [Return]
├─ [585] 0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f::balanceOf(FjordAuction: [0xF62849F9A0B5Bf2913b396098F7c7019b51A820a]) [staticcall]
│ └─ ← [Return] 0
├─ [0] VM::assertEq(0, 0) [staticcall]
│ └─ ← [Return]
└─ ← [Stop]
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.91ms (613.70µs CPU time)
Ran 1 test suite in 667.23ms (1.91ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

User can bid 0 amount of FjordTokens which is unnecessary and redundant

Code Snippet

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordAuction.sol#L139-L153

Tools Used

Manual Review, Foundry

Recommendations

Add an if statement which checks if the uint256 amount is greater than 0. Example:

if (amount == 0) {
revert InvalidBidAmount();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.