Summary
AllPayAuction.withdraw(uint256 auctionId) can be called before the auction deadline, allowing funds to be withdrawn while bidding is still active. This breaks the intended auction lifecycle and settlement guarantees.
Affected Component
- Contract:
AllPayAuction.sol
- Function:
withdraw(uint256 auctionId)
- Base lifecycle modifiers defined in:
Auction.sol
Problem Description
The protocol explicitly defines auction phases using time-based modifiers:
beforeDeadline → used for bidding
onlyAfterDeadline → used for claiming assets
However, withdraw in AllPayAuction does not enforce any deadline check.
As a result, withdraw(auctionId) can be called when:
block.timestamp < auction.deadline
- bidding is still open
- the deadline may still be extended by new bids
This allows auction funds to be settled prematurely.
Expected Behavior
Withdrawal of accumulated bid funds should only be possible after the auction has ended.
Summary
AllPayAuction.withdraw(uint256 auctionId)can be called before the auction deadline, allowing funds to be withdrawn while bidding is still active. This breaks the intended auction lifecycle and settlement guarantees.Affected Component
AllPayAuction.solwithdraw(uint256 auctionId)Auction.solProblem Description
The protocol explicitly defines auction phases using time-based modifiers:
beforeDeadline→ used for biddingonlyAfterDeadline→ used for claiming assetsHowever,
withdrawinAllPayAuctiondoes not enforce any deadline check.As a result,
withdraw(auctionId)can be called when:block.timestamp < auction.deadlineThis allows auction funds to be settled prematurely.
Expected Behavior
Withdrawal of accumulated bid funds should only be possible after the auction has ended.