Starknet Auction
First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Insufficient Checks in end Function

0xserpent

Summary

The end function finalizes the auction, but it does not check whether the highest bid is greater than zero. If no bids were placed, the NFT would remain locked in the contract and be transferred to the contract address.

Vulnerability Details

In the end function:

assert(self.starting_price.read() < self.highest_bid.read(), 'No bids');
erc721_dispatcher.transfer_from(sender, self.highest_bidder.read(), self.nft_id.read().into());

If no bids are placed, the highest bidder remains the NFT owner (as it was set to the owner during start), but the function still attempts to transfer the NFT. This could result in the NFT being locked in the contract if no valid bids are made.

Impact

If no bids are made, the NFT could be locked in the contract, and the owner may lose access to it.

Tools Used

  • Manual code review

Recommendations

  • Before transferring the NFT, ensure that the highest bid is greater than the starting price and greater than zero:

assert(self.highest_bid.read() > 0, 'No valid bids');

  • Alternatively, return the NFT to the owner if no valid bids are made.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The NFT will be locked if there are no bids

If there are no placed bids in the auction, the `end` function will always revert. The owner can not receive back the nft ant it will be locked in the contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.