Summary

The end function is responsible for terminating the auction but in my opinion, its not complete. After the auction ends the bidders will have to wait until the auction_contract approves their amount and then they will be able to withdraw their amount. The function withdraw will not work for bidders to take back their money until their amount is approved.

Vulnerability Details

Impact

The bidders will have to wait until their amount is approved and their is not way of knowing that so they will have to keep calling the withdraw function. Even though the condition in withdraw function amount > 0 is true but the block doesn't get executed util the token are approved.

Tools Used

Recommendations

The token approval should be part of withdraw function such that if a bidder's amount is greater than zero than his token should be approved and transferred and the amount should be updated accordingly. It should be done in such a way that there's no possibility of reentrancy.