Lack of Token Transfer Validation in `AuctionFactory::createAuction` Function
Summary
The createAuction function performs a token transfer without validating its success, potentially leading to incomplete auction creation and inconsistent state.
Vulnerability Details
tokens are transferred from the owner to the newly created auction contract using IERC20(auctionToken).transferFrom(msg.sender, auctionAddress, totalTokens). but this operation assumes that:
-
The owner has approved the AuctionFactory contract to spend the required amount of tokens.
-
The transfer operation succeeds.
Neither of these assumptions is verified in the current implementation. The function does not check if the transfer was successful, nor does it handle potential failures.
Impact
If the token transfer fails due to lack of approval or insufficient balance, it could result in incomplete auction creation, and the transaction consumes gas for contract deployment but fails to complete the intended deployment.
Tools Used
Manual Review
Recommendations
in the case that implementing a SafeERC20library is not possible, Implementing a check for the success of the transferFrom operation will help
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.