Core Contracts

Summary

The NFTLiquidator contract is designed to liquidate NFTs via an auction mechanism. When an NFT is liquidated, an auction is started, and bidders may place bids or buy the NFT for a premium price until the auction deadline. However, if no bids are placed during the auction period, the auction cannot be ended via the endAuction function because this will revert if highestBidder is the address(0). As a result, an NFT that receives no bids remains stuck in the contract permanently.

Vulnerability Details

The placeBid and buyBackNFT functions have this check if (block.timestamp >= data.auctionEndTime) revert AuctionHasEnded();. This is meant to prevent users from bidding or buying an NFT if the auctionEndTime passed.

On the other hand, the endAuction function has these two checks

The endAuction can be called only after the auctionEndTime passed which signals that the auction finished.
The issue with the current code is that the protocol assumes that there will always be bids for the liquidated NFTs.

In cases where the auction ends with no bids, the NFTs will remain stuck in the NFTLiquidator permanently because there is no logic that allows the admin/owner to extract the NFTs from there or re-auction them if no one bids during the auction.

Calling the placeBid or buyBackNFT functions after the auction deadline passes will always revert because of the block.timestamp >= data.auctionEndTime check and the endAuction function will always revert because of data.highestBidder == address(0) check.

Impact

Liquidated NFTs will remain permanently locked in the NFTLiquidator contract.

Tools Used

Manual review

Recommendations

Add a new auction flow to handle the scenario where no bids are placed in the auction. For instance, after a defined grace allow the NFT to be re-auctioned through an alternative mechanism maybe at a lower price.