Foundation contest - shenwilly's results

Lines of code

https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketReserveAuction.sol#L557-L560

Vulnerability details

Impact

FNDNFTMarket allows market offer to be made on auctioned NFTs that have not been finalised by the auction winner. Auction winner can call acceptOffer() to accept the offer and finalise the auction in a single call.

However, the current implementation has an incorrect logic where accepting the offer will transfer the NFT to the auction winner instead of the offerer, causing the offerer to lose fund but not receiving the NFT.

Proof of Concept

1. Alice is the highest bidder on an auctioned NFT.
2. Once the auction has ended (but not finalised), Bob makes a market offer on the NFT.
3. Alice calls acceptOffer(). Bob's fund is distributed to Alice, but the NFT is still sent to Alice.

Tools Used

Manual code review

Recommended Mitigation Steps

Modify the logic in NFTMarketReserveAuction._transferFromEscrow() so it properly transfer the NFT to the offerer.

Specifically, in L557-L560:

1. Change _finalizeReserveAuction(auctionId, false) to _finalizeReserveAuction(auctionId, true).
2. Remove the return statement so the code continues and transfers correctly.