Feature and its Use Cases
Problem
Once an NFT is deposited to start an auction, there's no on-chain enforcement preventing
the original owner from front-running the finalization by calling safeTransferFrom on the NFT contract
directly (if they retained approval). The contract holds the NFT, but if ownership wasn't properly escrowed,
a malicious seller can retrieve it before finalization.
Suggested Fix
Ensure the NFT is transferred INTO the contract (not just approved) at auction creation:
nftContract.safeTransferFrom(msg.sender, address(this), tokenId);
And verify the contract owns the NFT in finalizeAuction():
require(nftContract.ownerOf(tokenId) == address(this), "NFT not escrowed");
Impact
High — winning bidder loses funds without receiving the auctioned asset.
Additional Context
No response
Code of Conduct