Owner of the token will not receive the funds of the highest bid after an Auction is claimed #1986
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-971
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L113
Vulnerability details
Impact
After the auction is completed, the winner or protocol owner must call the claimAuction function. At this point, the token is sent to the auction participant who made the highest bid, and the funds from that bid are sent to the owner of the protocol. And not to the original owner of the NFT.
Funds should be sent to the original owner of the NFT because this can be understood from the description of bad cases in the project description: "Consider ways in which the owner of the token will not receive the funds of the highest bid after an Auction is claimed."
Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Assessed type
Other
The text was updated successfully, but these errors were encountered: