Incorrect Use Of transfer() In bid()
Summary
transfer() is incorrectly being used within bid() to deposit tokens from bidders.
Vulnerability Details
On line 113 transfer() is being used to deposit ERC20 tokens from bidders into the contract. This means that the sender is actually the smart contract and not the bidder who is trying to deposit tokens.
Impact
If the contract has no preexisting balance this will result in the call failing with an INSUFFICIENT_BALANCE error. This means that all calls to bid() would fail. However, if the contract had a preexisting balance, it means that bidders would be able to bid using the contracts balance and not use their own tokens. This would essentially allow them to withdraw this amount from the contract upon completion of the auction. Also, it would allow the winning bidder to win the NFT and have the contract pay for it.
Tools Used
Manual Review
Recommendations
Update line 113 to the following: erc20_dispatcher.transferFrom(sender, receiver, amount.into());
Appeal created
`transfer` instead of `transfer_from`
In the `bid` function is wrongly used `transfer` function instead `transfer_from`.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.