Highest bidders can withdraw their bids after auction ends
Summary
The highest bidder can withdraw their bids back even after winning the auction and getting the auction nft
Vulnerability Details
The auction's highest bidder gets the auction NFT when the function ends while the auction owner gets the highest bid. However, the current implementation of the withdraw function allows the highest bidder to get both the NFT and the bid.
Impact
The highest bidder can withdraw their bid, this will either prevent other bidders from withdrawing their bids or the auction owner from withdrawing the highest bid.
Tools Used
Manual
Recommendations
Lead Judging Commences
The `highest_bidder` can withdraw the value of all bids
The `withdraw` function allows the participants to receive back the value of all their unsuccessful bids. The problem is that the winner of the auction will receive all bids including the `highest_bid` that should be paid to the NFT owner.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.