fix: auction payout can be locked before execute #636

Leechael · 2024-04-03T04:55:15Z

In the collectAuctionPayout function, it becomes apparent that the variable paidOutBidAmount is set to true before the necessary require checks are performed. This has the potential to cause an issue where the auction creator does not receive their tokens, even if the auction is successful and has expired.

contracts/contracts/prebuilts/marketplace/english-auctions/EnglishAuctionsLogic.sol

Lines 147 to 166 in a9e6477

    
           function collectAuctionPayout(uint256 _auctionId) external nonReentrant { 
        
               require( 
        
                   !_englishAuctionsStorage().payoutStatus[_auctionId].paidOutBidAmount, 
        
                   "Marketplace: payout already completed." 
        
               ); 
        
               _englishAuctionsStorage().payoutStatus[_auctionId].paidOutBidAmount = true; 
        
               Auction memory _targetAuction = _englishAuctionsStorage().auctions[_auctionId]; 
        
               Bid memory _winningBid = _englishAuctionsStorage().winningBid[_auctionId]; 
        
               require(_targetAuction.status != IEnglishAuctions.Status.CANCELLED, "Marketplace: invalid auction."); 
        
               require(_targetAuction.endTimestamp <= block.timestamp, "Marketplace: auction still active."); 
        
               require(_winningBid.bidder != address(0), "Marketplace: no bids were made."); 
        
               _closeAuctionForAuctionCreator(_targetAuction, _winningBid); 
        
               if (_targetAuction.status != IEnglishAuctions.Status.COMPLETED) { 
        
                   _englishAuctionsStorage().auctions[_auctionId].status = IEnglishAuctions.Status.COMPLETED; 
        
               } 
        
           }

This PR aims to fix the potential issue.

fix: auction payout can be locked before execute

5f674c6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: auction payout can be locked before execute #636

fix: auction payout can be locked before execute #636

Uh oh!

Leechael commented Apr 3, 2024

Uh oh!

Uh oh!

	function collectAuctionPayout(uint256 _auctionId) external nonReentrant {
	require(
	!_englishAuctionsStorage().payoutStatus[_auctionId].paidOutBidAmount,
	"Marketplace: payout already completed."
	);
	_englishAuctionsStorage().payoutStatus[_auctionId].paidOutBidAmount = true;

	Auction memory _targetAuction = _englishAuctionsStorage().auctions[_auctionId];
	Bid memory _winningBid = _englishAuctionsStorage().winningBid[_auctionId];

	require(_targetAuction.status != IEnglishAuctions.Status.CANCELLED, "Marketplace: invalid auction.");
	require(_targetAuction.endTimestamp <= block.timestamp, "Marketplace: auction still active.");
	require(_winningBid.bidder != address(0), "Marketplace: no bids were made.");

	_closeAuctionForAuctionCreator(_targetAuction, _winningBid);

	if (_targetAuction.status != IEnglishAuctions.Status.COMPLETED) {
	_englishAuctionsStorage().auctions[_auctionId].status = IEnglishAuctions.Status.COMPLETED;
	}
	}

fix: auction payout can be locked before execute #636

Are you sure you want to change the base?

fix: auction payout can be locked before execute #636

Uh oh!

Conversation

Leechael commented Apr 3, 2024

Uh oh!

Uh oh!