Summary

Multiple problems could be found in the FjordAuctionand more precisely in the auctionEndfunction. Both of them will lead to lose of funds in some situation and stuck of funds.

Vulnerability Details

In the next few lines, I will explain two different scenario, where different problems can occur.

A) Admin create an auction with Gemini Usd which has only 2 decimals

1. Create the auction and adds 100e2 of GeminiUsd

2. Users bid 10001e18 points

3. At the end of the auction during the calculation of the multiplyer we will have (100e2 * 10e18) / 10001e18 = 0, this will lead to that all of the 100e2 to be stucked in the contract and none of the users will receive any token.

This problem can occur not just for a token with 2 decimals but with token with 6 decimals, depending on how many points are bid and the amount of the token. And even for tokens with 18 decimals but with extremely small reward.

B) Users could bid, but they could not receive a reward if the bid is a small amount.

1. Let's say we have as 100e6 as totalTokens in USDC for example.

2. User Jack bid a 1e11 points to the contract.

3. At the end of the auction we have 100e18 points bidded and for the multiplayer we receive the value of 100e6 * 1e18 / 100e18 = 1e6

4. And user Jack calls claimsToken and for the amount which the protocol needs to send is 1e11 * 1e6 / 1e18 = 0

This problems will lead to lock of funds and user not receiving any reward.

Impact

Claim token amounts will be stucked in the contract.

Tools Used

Manual review

Recommendations

For the problem described in A) the protocol can add a check before the bid, does totalTokens.mul(PRECISION_18).div(totalBids + amountToBid) > 0;

For the problem outlined in B) we can think of two possible solutions, sends back the points to user or implementating a function to claim all tokens locked in the contact which are not claimed after some period.