Starknet Auction

First Flight #26

Beginner FriendlyNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

If there are no bids (including if the reserve price is not exceeded), then the NFT is locked in the contract.

nstap

Description

The protocol does not provide a mechanism for the NFT owner to recover their NFT in the event that a) there are no bids or b) the highest bid does not exceed the reserve price. The StarknetAuction::end function correctly sends the NFT to the winning bidder:

erc721_dispatcher.transfer_from(

sender,

self.highest_bidder.read(),

self.nft_id.read().into()

);

The StarknetAuction::start function transfers the ownership of the NFT for auction to the StarkNetAuction contract.

erc721_dispatcher.transfer_from(caller, receiver, self.nft_id.read().into());

The StarknetAuction::withdraw function allows losing bidders to withdraw their bid ERC20 tokens. It also allows the contract/NFT owner to withdraw the value of the winning bid. However, there is no provision to allow the NFT owner to transfer ownership of the NFT back to themselves where a sale is not completed.

Impact:

Where no sale is completed, the NFT owner loses ownership of their NFT; the NFT for sale is locked in the StarknetAuction

Recommended Mitigation:

The protocol should create a new method: StarknetAuction::withdrawNFT This function should be called only by the contract owner and after the auction has ended. The StarknetAuction::ended is set in the StarknetAuction::end method. The NFT will have already been transferred to the highest bidder and is no longer in the ownership of the contract by the time the new method is called.

+ fn withdrawNFT(ref self: ContractState) {

+ let caller = get_caller_address();

+ let erc721_dispatcher = IERC721Dispatcher { contract_address: self.erc721_token.read() };

+ let sender = get_contract_address();

+ assert(caller == self.nft_owner.read(), 'Not the nft owner');

+ assert(self.ended.read(), 'Auction is ended');

+ assert(self.starting_price.read() < self.highest_bid.read(), 'No effective bids');

+ // emit appropriate event

+ erc721_dispatcher.transfer_from(sender, caller, self.nft_id.read().into());

+ }

Updates

Lead Judging Commences

bube Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

The NFT will be locked if there are no bids

If there are no placed bids in the auction, the `end` function will always revert. The owner can not receive back the nft ant it will be locked in the contract.

Rewards breakdown

nSLOC

132

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.