Auction Funds Never Sent To Token Owner

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L113

Vulnerability details

Impact

The owner of a token that is auctioned off may never receive the ETH they deserve from the auction. There are no requirements for the owner of the auctionDemo contract to send the ETH to the owner of the token that was auctioned.

Proof of Concept

Within the readme for the competition the NextGen team ask wardens to “Consider ways in which the owner of the token will not receive the funds of the highest bid after an Auction is claimed.” When inspecting the code we see that auctions actually send ETH to the owner of the auctionDemo contract. This is the line within the claimAuction function that distributes the eth equal to the highestBid once the auction is over:
(bool success, ) = payable(owner()).call{value: highestBid}("");

The problem is with the owner() function. This function is inherited from the OpenZeppelin Ownable contract and returns the owner of the contract not the owner of the token.

Tools Used

Manual Review

Recommended Mitigation Steps

The claimAuction function correctly grabs the owner of the token and sets it to the variable ownerOfToken. Use this variable to send eth to

function claimAuction(uint256 _tokenid) public WinnerOrAdminRequired(_tokenid,this.claimAuction.selector){
        .....
                IERC721(gencore).safeTransferFrom(ownerOfToken, highestBidder, _tokenid);
               - (bool success, ) = payable(owner()).call{value: highestBid}("");
               + (bool success, ) = payable(ownerOfToken).call{value: highestBid}("");
                emit ClaimAuction(owner(), _tokenid, success, highestBid);
        .....
    }

Assessed type

ETH-Transfer

[c4-pre-sort]

141345 marked the issue as duplicate of #245

[c4-judge]

alex-ppg marked the issue as satisfactory

[c4-judge]

alex-ppg changed the severity to 2 (Med Risk)