Core Contracts

Summary

The buyBackNFT function is publicly accessible and lacks access restrictions, allowing any user to trigger a buyback and prematurely end an active auction.

Vulnerability Details

IN the code https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/StabilityPool/NFTLiquidator.sol#L160-L183 The function does not enforce any checks on who can call it, meaning that any external user can invoke the buyBackNFT function. By doing so, anyone could force the termination of an auction—regardless of the auction’s current state or whether they are the highest bidder—effectively stealing the NFT away from the auction process and locking out legitimate bidders.

At first view, this might look like a feature designed to end auction on time provided the debt is covered, but anyone could steal the nft from the deserved highest bidder profitable, provided the bid of the highest bidder is well more than the debt*1.1, this means an nft covering a debt of 1eth and with current highest bid of 2 eth can get stolen by anyone who just uses 1.1 eth to ssteal the nft, voiding the auction and cheating the highest bidder

Impact

• Compromises the fairness of the auction process

• Enables malicious actors to unilaterally end auctions, disrupting market dynamics

Tools Used

Manual Review

Recommendations

• Consider integrating a multi-step confirmation or time delay mechanism to prevent abrupt auction termination.

• Validate that the caller has a legitimate claim or stake in the auction before allowing the buyback to proceed.