Token ownership check during the raffle initialization is meaningless

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L126

Vulnerability details

Impact

It is not guaranteed that the raffle owner is the actual owner of the token up for a raffle.

Proof of Concept

And whenever a new raffle is created, msg.sender is used for initialization and it is checked if the caller is actually the owner of the token.
From this, I believe that the protocol intended to guarantee that the raffle owner actually owns the token up for a raffle.

VRFNFTRandomDraw.sol
75:     function initialize(address admin, Settings memory _settings)
76:         public
77:         initializer
78:     {
...
124:
125:         // Get owner of raffled tokenId and ensure the current owner is the admin
126:         try
127:             IERC721EnumerableUpgradeable(_settings.token).ownerOf(
128:                 _settings.tokenId
129:             )
130:         returns (address nftOwner) {
131:             // Check if address is the admin address
132:             if (nftOwner != admin) {
133:                 revert DOES_NOT_OWN_NFT();
134:             }
135:         } catch {
136:             revert TOKEN_BEING_OFFERED_NEEDS_TO_EXIST();
137:         }
138:     }

But this guarantee can be easily broken by transferring the ownership of the raffle.
This means a user can create unlimited number of raffles for the same token and transfer ownership to others.
Although the other owners can not start a draw, the impact might differ according to the business logic in the sense of how the ownership of a raffle for a token is valued.
I believe this is not what the protocol intended.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider locking the NFT token during the initialization.

[c4-judge]

gzeon-c4 marked the issue as duplicate of #104

[c4-judge]

gzeon-c4 marked the issue as satisfactory