Incompatible Stability Pool Transfer in `endAuction` Function
Summary
The endAuction function attempts to transfer funds to the StabilityPool, but if the StabilityPool contract lacks a receive/fallback function, the transfer will always revert, which means the endAuction will always fail
Vulnerability Details
In the code https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L151, stability pool gets the transfer of the winningbid using eth transfer, but in the stability pool, there is no receive or fallback function https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/StabilityPool.sol. This means it would revert and winning bid will always revert
Impact
Prevents auctions from ending successfully
Causes funds to be locked within the contract
Tools Used
Manual Review, Forge
Recommendations
Alternatively, ensure that the StabilityPool contract implements a receive or fallback function to accept Ether transfers.
Always check the success of external calls to avoid unexpected reverts.
Lead Judging Commences
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
StabilityPool misses receive/fallback breaking the integration with NFTLiquidator
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.