Unauthorized withdrawal of highest bid amount of tokens by the highest bidder in `withdraw`.
Vulnerability Details
The withdraw function contains a vulnerability that allows a user who has won the auction by placing the highest bid to illegally withdraw their highest bid amount in tokens. Once the auction ends and the user receives their NFT, they should no longer be able to withdraw their highest bid that secured them the auction win, but presumably only the previous bids (if any) that the user placed on their way to the highest bid. However, the current implementation of the withdraw function lacks the necessary checks to determine whether the caller of the function is actually the address of the highest bidder.
Impact
The highest bidder can call the withdraw function after winning the auction and retrieve their highest bid amount, potentially resulting in receiving the NFT for free.
Tools Used
Manual Code Review, VSCode
Recommendations
To mitigate this vulnerability, consider introducing the logic in withdraw function to ensure that the highest bidder cannot withdraw their highest bid amount after the auction is ended. This could include a check to verify that the caller of the withdraw function is the highest bidder, and if so, ensuring that the caller only gets back the tokens from the previous bids (if any) that were placed on the way to the highest bid, but not the highest bid amount.
Lead Judging Commences
The `highest_bidder` can withdraw the value of all bids
The `withdraw` function allows the participants to receive back the value of all their unsuccessful bids. The problem is that the winner of the auction will receive all bids including the `highest_bid` that should be paid to the NFT owner.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.