Feature and its Use Cases

Problem

Once an NFT is deposited to start an auction, there's no on-chain enforcement preventing
the original owner from front-running the finalization by calling safeTransferFrom on the NFT contract
directly (if they retained approval). The contract holds the NFT, but if ownership wasn't properly escrowed,
a malicious seller can retrieve it before finalization.

Suggested Fix

Ensure the NFT is transferred INTO the contract (not just approved) at auction creation:

nftContract.safeTransferFrom(msg.sender, address(this), tokenId);

And verify the contract owns the NFT in finalizeAuction():

require(nftContract.ownerOf(tokenId) == address(this), "NFT not escrowed");

Impact

High — winning bidder loses funds without receiving the auctioned asset.

Additional Context

No response

Code of Conduct

• I have joined the Discord server and will post updates there
• I have searched existing issues to avoid duplicates