Root + Impact

Description

Normal behavior: After a battle, both the defender and challenger NFTs should be returned to the rightful owner (the winner or split as per rules).

Issue: The code only updates the internal stats and ownership tables (transfer_record_only) but never calls object::transfer to actually return the NFTs to the winner’s account. As a result, both NFTs remain locked under @battle_addr.

Risk

This happens in every battle resolution, since the return transfers are never executed.

Impact:

Both players permanently lose custody of their NFTs. Assets become locked at @battle_addr, causing total loss unless the module owner manually intervenes.

Recommended Mitigation