Submission Details
Severity:
Ether will stuck forever in NFTLiquidator contract
Summary
Ether needs special function to receive it and StabilityPool contract doesn't have one which will make funds stuck in NFTLiquidator when auction end.
Vulnerability Details
When the auction for a specific NFT concludes and the token is transferred to the winner, the contract attempts to send the Ether proceeds to the
StabilityPool. However, this transfer will fail because theStabilityPoolcontract lacks a fallback or receive function to accept Ether.
function endAuction(uint256 tokenId) external {
TokenData storage data = tokenData[tokenId];
if (block.timestamp < data.auctionEndTime) revert AuctionNotEnded();
if (data.highestBidder == address(0)) revert NoBidsPlaced();
address winner = data.highestBidder;
uint256 winningBid = data.highestBid;
delete tokenData[tokenId];
nftContract.transferFrom(address(this), winner, tokenId);
payable(stabilityPool).transfer(winningBid); <@
emit AuctionEnded(tokenId, winner, winningBid);
}
Impact
Ether will stuck forever in the contract.
Tools Used
Manual audit
Recommendations
StabilityPool contract must have fallback function to receive ether.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.