Skip to content

fix: restrict AllPayAuction withdraw to auctioneer#24

Open
harshkumarrai wants to merge 1 commit intoStabilityNexus:mainfrom
harshkumarrai:fix-allpay-withdraw-access
Open

fix: restrict AllPayAuction withdraw to auctioneer#24
harshkumarrai wants to merge 1 commit intoStabilityNexus:mainfrom
harshkumarrai:fix-allpay-withdraw-access

Conversation

@harshkumarrai
Copy link

@harshkumarrai harshkumarrai commented Jan 28, 2026
edited by coderabbitai bot
Loading

Fixes #18
Adds access control to AllPayAuction.withdraw so only the auctioneer can withdraw funds.
Prevents unauthorized callers from triggering withdrawals.

Summary by CodeRabbit

  • Bug Fixes
    • Restricted auction fund withdrawals to the auctioneer only.
    • Added protection against withdrawal attempts when no funds are available.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Jan 28, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The withdraw function in AllPayAuction.sol now enforces access control, restricting withdrawals to only the auctioneer. An additional guard prevents withdrawal when no funds are available.

Changes

Cohort / File(s) Summary
Security Fix
contracts/AllPayAuction.sol		 Added access control to withdraw function to restrict calls to the auction auctioneer. Implemented zero-balance guard to prevent withdrawal attempts when funds unavailable. Minor formatting adjustments applied.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through contracts with care,
Locks the withdraw gate, so none can unfair,
Guards the funds tight with a zero-check wall,
Now only the auctioneer can claim all! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly and specifically describes the main change: restricting the AllPayAuction withdraw function to only the auctioneer, which directly addresses the primary objective.
Linked Issues check ✅ Passed The pull request successfully implements access control on the withdraw function by restricting it to the auctioneer, directly addressing the requirements in issue #18 to prevent unauthorized fund withdrawals.
Out of Scope Changes check ✅ Passed All changes are within scope: the access control restriction to the auctioneer, zero-balance guard, and minor formatting are all directly related to fixing the unauthorized withdrawal vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Issue: AllPayAuction logic allows unauthorized withdrawal of all funds.

1 participant

@harshkumarrai