NFTLiquidator.sol Contract Issue: NFTs Locked in Contract if No Bids Received
Summary
NFTLiquidator.sol contains a vulnerability where an NFT listed for auction can become permanently stuck in the contract if no bids are placed before the auction ends. Instead of remaining locked indefinitely, the NFT should be returned to StabilityPool.sol if no bids are received.
Vulnerability Details
The issue arises because there is no mechanism to transfer the NFT out of the contract unless it has been successfully auctioned or purchased at a premium before the auction expires. As a result, if no bids are placed and NFT is not purchased at a premium before expiry, the NFT remains trapped in the contract with no way to recover it.
Impact
This flaw leads to the complete loss of the NFT, preventing the protocol from realizing its full value. Consequently, the protocol is unable to generate revenue or utilize the asset for any economic activity, undermining its financial efficiency. Considering the immense economic loss this would be cosidered a high impact scenario.
Tools Used
Manual.
Recommendations
Implement an external function, accessible only to the contract owner, to allow the retrieval of stuck NFTs. This function should enable the owner to transfer NFTs out of the contract in cases where an auction fails to attract bids, ensuring the assets remain usable within the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.