NFT Lockup in no Bid Auction Scenario
Summary
If no bids are placed during the auction period, the NFT becomes locked in the contract, with no mechanism for the original owner to reclaim it.
Vulnerability Details
The vulnerability is present in the end function of the StarknetAuction contract. The function includes a check to ensure that at least one bid has been made that exceeds the starting price. However, if this condition is not met, the function simply reverts, leaving the NFT trapped in the contract.
If no bids are placed, the assertion self.starting_price.read() < self.highest_bid.read() will fail, causing the function to revert. As a result, the NFT remains in the contract's possession with no way for the original owner to retrieve it.
Impact
This vulnerability can lead to permanent loss of the NFT for the original owner if no bids are placed during the auction. The NFT becomes locked in the contract without any mechanism to return it to the owner or restart the auction.
Tools Used
Manual code review
Recommendations
To address this vulnerability, modify the end function to handle the zero-bid scenario by transfering the NFT and updating highest_bid value to 0.
Lead Judging Commences
The NFT will be locked if there are no bids
If there are no placed bids in the auction, the `end` function will always revert. The owner can not receive back the nft ant it will be locked in the contract.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.