Core Contracts

Relevant Context

The NFTLiquidator contract manages the liquidation of under-collateralized NFTs through an auction mechanism. When an NFT is liquidated, it starts a 3-day auction period during which users can place bids. The auction must be explicitly ended by calling endAuction() after the auction period.

Finding Description

The endAuction() function requires that at least one valid bid has been placed before the auction can be concluded (if (data.highestBidder == address(0)) revert NoBidsPlaced()). However, if no bids are placed during the auction period, the NFT becomes permanently locked in the contract as there is no mechanism to restart the auction or handle failed auctions.

This creates a situation where NFTs can become permanently trapped in the contract if they fail to attract any bids during their initial auction period, resulting in lost value for the protocol and its users.

Impact Explanation

High. If an NFT fails to receive any bids during its auction period, it becomes permanently locked in the contract with no mechanism for recovery. This results in a complete loss of the asset's value for both the protocol and the original owner.

Likelihood Explanation

Low. The scenario requires that no bids are placed during the entire 3-day auction period, which is unlikely for NFTs previously deemed valuable enough to be accepted as collateral.

Proof of Concept

1. Alice's NFT position becomes under-collateralized

2. The protocol liquidates Alice's NFT by calling liquidateNFT()

3. The 3-day auction period passes with no bids placed

4. Any attempt to call endAuction() reverts due to the NoBidsPlaced error

5. The NFT remains permanently locked in the contract with no mechanism for recovery

Recommendation

Add a function to restart failed auctions with a lower starting price: