Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Eth will never transfered to `StabilityPool.sol` as it doesn't implement any `receive()` or `fallback()` function to receive ETH.

0xhacksmithh

Summary

Vulnerability Details

We can see that in NFTLiquidator :: endAuction() and NFTLiquidator :: buyBackNFTboth cases ETH get transfered to Stability pool

function endAuction(uint256 tokenId) external {

TokenData storage data = tokenData[tokenId];

if (block.timestamp < data.auctionEndTime) revert AuctionNotEnded();

if (data.highestBidder == address(0)) revert NoBidsPlaced();

address winner = data.highestBidder;

uint256 winningBid = data.highestBid;

delete tokenData[tokenId];

nftContract.transferFrom(address(this), winner, tokenId);

payable(stabilityPool).transfer(winningBid); // @audit-issue

emit AuctionEnded(tokenId, winner, winningBid);

}

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L140-L154

function buyBackNFT(uint256 tokenId) external payable {

TokenData storage data = tokenData[tokenId];

if (block.timestamp >= data.auctionEndTime) revert AuctionHasEnded();

if (nftContract.ownerOf(tokenId) != address(this)) revert NFTNotInLiquidation();

uint256 price = data.debt * 11 / 10; // 110% of the debt

if (msg.value < price) revert InsufficientPayment(price);

// Refund the highest bidder if there's an existing bid

if (data.highestBidder != address(0)) {

payable(data.highestBidder).transfer(data.highestBid);

delete tokenData[tokenId];

nftContract.transferFrom(address(this), msg.sender, tokenId);

payable(stabilityPool).transfer(price);// @audit-issue

if (msg.value > price) {

payable(msg.sender).transfer(msg.value - price);

}

emit BuybackCompleted(tokenId, msg.sender, price);

}

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L160-L183

But Stability pool never has any fallback()or receive()function which will allow Stability pool to receive those ETH ,

So as we know In Solidity, when using the .transfer() method, the recipient contract must have a receive() or fallback() function to accept Ether.

If the recipient contract does not implement either of these functions, the transaction will revert (fail).

Impact

endAuction()and bayBackNFT()always gonna fail

Tools Used

mannual review

Recommendations

implement a receive() or fallback()function in StabilityPoolcontract

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool misses receive/fallback breaking the integration with NFTLiquidator

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

StabilityPool misses receive/fallback breaking the integration with NFTLiquidator

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.