The protocol doesn't have enough funds to cover all client withdrawals, it creates a significant risk of insolvency.
Summary
The NFT owner can withdraw the highest bid without ensuring adequate funds for all participants, the protocol's integrity crumbles. This can lead to trust issues and potential financial losses for users.
Vulnerability Details
The protocol holds a specific amount of ERC20 tokens, accumulated from all the bids placed by clients.
Eg:
3 clients
1 NFT owner
3c + 1o = 4 players
Client A bit 10 tokens, B=30 and C=60
(10+30+60) = 100 tokens
The highest bit = 60 (client C)
The NFT owner withdraws the highest bit.
After the withdrawal of the highest bid, the protocol retains 40 tokens. And there are three clients who each wish to withdraw its many all = 100 tokens.
100 - 60 = 40
Given this simple math, one or two clients will not be able to withdraw their funds.
And this creates a risk of a race for resources.
Impact
Clients cannot withdraw their unsuccessful bids.
Tools Used
mnual review
Recommendations
Please rethink the protocol.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.