Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

NFT Stuck in Auction Contract Due to Missing Retrieval Mechanism

johny7173

Summary

The NFTLiquidator contract lacks a mechanism to retrieve NFTs when no bids are placed in an auction. If an auction ends without a bidder, the NFT remains stuck in the contract indefinitely since neither buyBackNFT nor endAuction can successfully execute.

Vulnerability Details

The vulnerability arises because:

The buyBackNFT function reverts if the auction has ended (AuctionHasEnded).
The endAuction function reverts if there is no bidder (NoBidsPlaced).

This results in a scenario where an NFT remains permanently locked within the contract if no bids are placed during the auction period.

Affected Code:

function endAuction(uint256 tokenId) external {

TokenData storage data = tokenData[tokenId];

if (block.timestamp < data.auctionEndTime) revert AuctionNotEnded();

if (data.highestBidder == address(0)) revert NoBidsPlaced();

}

function buyBackNFT(uint256 tokenId) external payable {

TokenData storage data = tokenData[tokenId];

if (block.timestamp >= data.auctionEndTime) revert AuctionHasEnded();

}

Since both functions revert under different conditions, no function allows retrieval of the NFT if no bids were placed.

Impact

The NFT remains permanently locked in the NFTLiquidator contract.
Owners lose access to their NFTs if no bids are placed.

Tools Used

Manual Code Review

Recommended Mitigation

Introduce a fallback mechanism to allow NFT recovery if no bids are placed.

Modify endAuction to allow the contract owner or a predefined address to reclaim the NFT if no bids exist.
Introduce a new function, e.g., recoverUnsoldNFT, that enables the return of NFTs to the stability pool if the auction ends without a bid.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!