• Bug: The withdraw function in AllPayAuction.sol does not restrict who can call it. Anyone can call withdraw(auctionId) and the contract will send the availableFunds (minus fees) to the auctioneer.

- Fix: Add the onlyManager modifier or a custom require(msg.sender == auction.auctioneer) check.

• Why: Without access control, a malicious actor could trigger withdrawals prematurely or cause accounting issues for the auctioneer.

@kaneki003 Please allow me to propose this fix, thankyou