Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

NFT Locked Forever if No Bids Placed During Auction in NFTLiquidator Contract

aleksg00077

Summary

In the NFTLiquidator contract, if no bids are placed on an NFT during the auction, the NFT remains locked in the contract, and the auction cannot be ended successfully. This issue arises because the endAuction function reverts with the NoBidsPlaced error if no bids have been placed. As a result, the NFT cannot be reclaimed, re-auctioned, or transferred back to the original owner, leading to a permanent lock of the NFT in the contract.

Vulnerability Details

The vulnerability is found in the endAuction function of the NFTLiquidator contract. The function checks if any bids have been placed by verifying if data.highestBidder is not the zero address. If no bids have been placed, the function reverts with the NoBidsPlaced error, preventing the auction from being ended and the NFT from being transferred out of the contract.

/**

* @dev Ends the auction for a specific NFT

* @param tokenId The ID of the NFT whose auction is ending

function endAuction(uint256 tokenId) external {

TokenData storage data = tokenData[tokenId];

if (block.timestamp < data.auctionEndTime) revert AuctionNotEnded();

// audit if no bids placed nft is locked forever liqudate nft cant be called again

if (data.highestBidder == address(0)) revert NoBidsPlaced();

address winner = data.highestBidder;

uint256 winningBid = data.highestBid;

delete tokenData[tokenId];

nftContract.transferFrom(address(this), winner, tokenId);

payable(stabilityPool).transfer(winningBid);

emit AuctionEnded(tokenId, winner, winningBid);

}

Impact

The impact of this vulnerability is significant as it leads to the permanent lock of the NFT in the NFTLiquidator contract if no bids are placed during the auction. This prevents the NFT from being reclaimed, re-auctioned, or transferred back to the original owner, resulting in a loss of the NFT.

Tools Used

Manual review

Recommendations

To fix this vulnerability, the endAuction function should be modified to include a fallback mechanism that allows the NFT to be reclaimed, re-auctioned, or transferred back to the original owner if no bids are placed. Here are some recommendations:

Allow Original Owner to Reclaim NFT: Implement a function that allows the original owner to reclaim the NFT if no bids are placed during the auction.
Allow Contract Owner to Re-Auction NFT: Implement a function that allows the contract owner to re-auction the NFT if no bids are placed during the initial auction.
Implement Grace Period for Re-Auction: Implement a grace period during which the NFT can be re-auctioned if no bids are placed.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.