Skip to content

[Critical] AllPayAuction allows withdrawal before auction deadline #45

Description

@dhruvi-16-me

Summary

AllPayAuction.withdraw(uint256 auctionId) can be called before the auction deadline, allowing funds to be withdrawn while bidding is still active. This breaks the intended auction lifecycle and settlement guarantees.

Affected Component

  • Contract: AllPayAuction.sol
  • Function: withdraw(uint256 auctionId)
  • Base lifecycle modifiers defined in: Auction.sol

Problem Description

The protocol explicitly defines auction phases using time-based modifiers:

  • beforeDeadline → used for bidding
  • onlyAfterDeadline → used for claiming assets

However, withdraw in AllPayAuction does not enforce any deadline check.

As a result, withdraw(auctionId) can be called when:

  • block.timestamp < auction.deadline
  • bidding is still open
  • the deadline may still be extended by new bids

This allows auction funds to be settled prematurely.

Expected Behavior

Withdrawal of accumulated bid funds should only be possible after the auction has ended.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions