Owner of the token will not receive the funds after claimAuction()

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L113

Vulnerability details

Impact

Invariant the owner of the token will receive the funds broken, implementation is sending the fund to owner() which will be the address that deployed AuctionDemo.sol. The fund will not be at direct risk, since the address belongs to the protocol will be receiving the fund.

Proof of Concept

• Run forge init in project root

• setup deployer script and test file:
  Gist link: link

Filepath: 
- script/DeployProtocol2.s.sol
- test/AuctionDemoTest2.t.sol

• Run the test:

forge test --mt testAuctionTokenOwner -vv

• Which will yields the following output:
  Assertion will pass, which proof the fund is sent to owner() instead of token owner

Running 1 test for test/AuctionDemoTest2.t.sol:AuctionDemoTest2
[PASS] testAuctionTokenOwner() (gas: 1205318)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 7.41ms

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Manual Review, Forge

Recommended Mitigation Steps

Replace owner() with ownerOfToken

File: AuctionDemo.sol
- 168:                 (bool success, ) = payable(owner()).call{value: highestBid}("");
- 169:                 emit ClaimAuction(owner(), _tokenid, success, highestBid);

+ 168:                 (bool success, ) = payable(ownerOfToken).call{value: highestBid}("");
+ 169:                 emit ClaimAuction(ownerOfToken, _tokenid, success, highestBid);

Assessed type

Context

[c4-pre-sort]

141345 marked the issue as duplicate of #245

[c4-judge]

alex-ppg marked the issue as satisfactory