The finalize function is used to finalize the auction, locking all bids, and paying the seller.
However, any user, including bidders can call finalize, as it is a public function, and there are no user checks.
This may allow bidders to input malicious data, allowing them to call cancelBid after finalize, something that is not supposed to be done.
This may result in the loss of funds from the contract, as when a malicious bidder calls cancelBid, he or she is paid back the full amount. If the bidder had been successful in the auction, there may be excess base token loss, as the contract sends the seller all the successful bidder payments in the finalize function call.
Access gate the finalize function call to seller only.
The text was updated successfully, but these errors were encountered:
All reactions