Bidder can steal all the base token by repeatedly calling finalize()
Lines of code Vulnerability details Impact All the base token will be stolen by malicious bidder, even worse the bidder might pay nothing at the end. Proof of Concept Anyone can call finalize, and it can be called multiple times. FinalizeData memory data is local, which means in each call, data i...