fix: enforce NFT escrow ownership verification before claim

contracts/AllPayAuction.sol

@@ -6,15 +6,22 @@ import './ProtocolParameters.sol';
 import '@openzeppelin/contracts/token/ERC721/IERC721.sol';
 import '@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol';
 import '@openzeppelin/contracts/token/ERC20/IERC20.sol';
+import "@openzeppelin/contracts/access/Ownable.sol";
+import "@openzeppelin/contracts/utils/Pausable.sol";
 
 /**
  * @title AllPayAuction
- * @notice Auction contract for NFT and token auctions,where all bidders pay their bid amount but only the highest bidder wins the auction.
  */
-contract AllPayAuction is Auction {
-    constructor (address _protocolParametersAddress) Auction(_protocolParametersAddress){}
-    mapping(uint256 => AuctionData) public auctions; // auctionId => AuctionData
-    mapping(uint256 => mapping(address => uint256)) public bids; // auctionId => (bidder => bidAmount)
+contract AllPayAuction is Auction, Ownable, Pausable {
+
+    constructor(address _protocolParametersAddress)
+        Auction(_protocolParametersAddress)
+        Ownable(msg.sender)
+    {}
+
+    mapping(uint256 => AuctionData) public auctions;
+    mapping(uint256 => mapping(address => uint256)) public bids;
+
     struct AuctionData {
         uint256 id;
         string name;
@@ -35,6 +42,7 @@ contract AllPayAuction is Auction {
         bool isClaimed;
         uint256 protocolFee;
     }
+
     event AuctionCreated(
         uint256 indexed Id,
         string name,
@@ -52,6 +60,22 @@ contract AllPayAuction is Auction {
         uint256 protocolFee
     );
 
+    // -----------------------
+    // PAUSE CONTROL
+    // -----------------------
+
+    function pause() external onlyOwner {
+        _pause();
+    }
+
+    function unpause() external onlyOwner {
+        _unpause();
+    }
+
+    // -----------------------
+    // CREATE AUCTION
+    // -----------------------
+
     function createAuction(
         string memory name,
         string memory description,
@@ -64,10 +88,24 @@ contract AllPayAuction is Auction {
         uint256 minBidDelta,
         uint256 duration,
         uint256 deadlineExtension
-    ) external nonEmptyString(name) nonZeroAddress(auctionedToken) nonZeroAddress(biddingToken) {
-        require(duration > 0, 'Duration should be greater than 0');
-        receiveFunds(auctionType == AuctionType.NFT, auctionedToken, msg.sender, auctionedTokenIdOrAmount);
+    )
+        external
+        whenNotPaused
+        nonEmptyString(name)
+        nonZeroAddress(auctionedToken)
+        nonZeroAddress(biddingToken)
+    {
+        require(duration > 0, "Duration must be > 0");
+
+        receiveFunds(
+            auctionType == AuctionType.NFT,
+            auctionedToken,
+            msg.sender,
+            auctionedTokenIdOrAmount
+        );
+
         uint256 deadline = block.timestamp + duration;
+
         auctions[auctionCounter] = AuctionData({
             id: auctionCounter,
             name: name,
@@ -82,45 +120,138 @@ contract AllPayAuction is Auction {
             availableFunds: 0,
             minBidDelta: minBidDelta,
             highestBid: 0,
-            winner: msg.sender, //Initially set to auctioneer,to ensure that auctioneer can withdraw funds in case of no bids
+            winner: msg.sender,
             deadline: deadline,
             deadlineExtension: deadlineExtension,
             isClaimed: false,
             protocolFee: protocolParameters.fee()
         });
-        emit AuctionCreated(auctionCounter++, name, description, imgUrl, msg.sender, auctionType, auctionedToken, auctionedTokenIdOrAmount, biddingToken, minimumBid, minBidDelta, deadline, deadlineExtension, protocolParameters.fee());
+
+        emit AuctionCreated(
+            auctionCounter++,
+            name,
+            description,
+            imgUrl,
+            msg.sender,
+            auctionType,
+            auctionedToken,
+            auctionedTokenIdOrAmount,
+            biddingToken,
+            minimumBid,
+            minBidDelta,
+            deadline,
+            deadlineExtension,
+            protocolParameters.fee()
+        );
     }
 
-    function bid(uint256 auctionId, uint256 bidIncrement) external exists(auctionId) beforeDeadline(auctions[auctionId].deadline) {
+    // -----------------------
+    // BID
+    // -----------------------
+
+    function bid(uint256 auctionId, uint256 bidIncrement)
+        external
+        whenNotPaused
+        exists(auctionId)
+        beforeDeadline(auctions[auctionId].deadline)
+    {
         AuctionData storage auction = auctions[auctionId];
-        require(auction.highestBid != 0 || bids[auctionId][msg.sender] + bidIncrement >= auction.minimumBid, 'First bid should be greater than starting bid');
-        require(auction.highestBid == 0 || bids[auctionId][msg.sender] + bidIncrement >= auction.highestBid + auction.minBidDelta, 'Bid amount should exceed current bid by atleast minBidDelta');
+
+        require(
+            auction.highestBid != 0 ||
+                bids[auctionId][msg.sender] + bidIncrement >= auction.minimumBid,
+            "Bid too low"
+        );
+
+        require(
+            auction.highestBid == 0 ||
+                bids[auctionId][msg.sender] + bidIncrement >=
+                auction.highestBid + auction.minBidDelta,
+            "Bid below min increment"
+        );
+
         bids[auctionId][msg.sender] += bidIncrement;
         auction.highestBid = bids[auctionId][msg.sender];
         auction.winner = msg.sender;
         auction.availableFunds += bidIncrement;
         auction.deadline += auction.deadlineExtension;
+
         receiveERC20(auction.biddingToken, msg.sender, bidIncrement);
+
         emit bidPlaced(auctionId, msg.sender, bids[auctionId][msg.sender]);
     }
 
-    function withdraw(uint256 auctionId) external exists(auctionId) {
+    // -----------------------
+    // WITHDRAW
+    // -----------------------
+
+    function withdraw(uint256 auctionId)
+        external
+        whenNotPaused
+        exists(auctionId)
+    {
         AuctionData storage auction = auctions[auctionId];
+
         uint256 withdrawAmount = auction.availableFunds;
         auction.availableFunds = 0;
-        uint256 fees = (auction.protocolFee * withdrawAmount) / 10000;
+
+        uint256 fees =
+            (auction.protocolFee * withdrawAmount) / 10000;
+
         address feeRecipient = protocolParameters.treasury();
-        sendERC20(auction.biddingToken, auction.auctioneer, withdrawAmount - fees);
-        sendERC20(auction.biddingToken,feeRecipient,fees);
+
+        sendERC20(
+            auction.biddingToken,
+            auction.auctioneer,
+            withdrawAmount - fees
+        );
+
+        sendERC20(
+            auction.biddingToken,
+            feeRecipient,
+            fees
+        );
+
         emit Withdrawn(auctionId, withdrawAmount);
     }
 
-    function claim(uint256 auctionId) external exists(auctionId) onlyAfterDeadline(auctions[auctionId].deadline) notClaimed(auctions[auctionId].isClaimed) {
+    // -----------------------
+    // CLAIM (WITH ESCROW CHECK)
+    // -----------------------
+
+    function claim(uint256 auctionId)
+        external
+        whenNotPaused
+        exists(auctionId)
+        onlyAfterDeadline(auctions[auctionId].deadline)
+        notClaimed(auctions[auctionId].isClaimed)
+    {
         AuctionData storage auction = auctions[auctionId];
+
+        // 🔐 ENSURE NFT ESCROW
+        if (auction.auctionType == AuctionType.NFT) {
+            require(
+                IERC721(auction.auctionedToken)
+                    .ownerOf(auction.auctionedTokenIdOrAmount) ==
+                    address(this),
+                "NFT not escrowed"
+            );
+        }
+
         auction.isClaimed = true;
-        sendFunds(auction.auctionType == AuctionType.NFT, auction.auctionedToken, auction.winner, auction.auctionedTokenIdOrAmount);
-        emit Claimed(auctionId, auction.winner, auction.auctionedToken, auction.auctionedTokenIdOrAmount);
-    }
-}
 
-// TODO
+        sendFunds(
+            auction.auctionType == AuctionType.NFT,
+            auction.auctionedToken,
+            auction.winner,
+            auction.auctionedTokenIdOrAmount
+        );
+
+        emit Claimed(
+            auctionId,
+            auction.winner,
+            auction.auctionedToken,
+            auction.auctionedTokenIdOrAmount
+        );
+    }
+}

contracts/EnglishAuction.sol

@@ -12,7 +12,7 @@ import '@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol';
  * @notice Auction contract for NFT and token auctions, where the highest bidder wins the auction and rest of the bidders get their bid refunded.
  */
 contract EnglishAuction is Auction {
-    constructor (address _protocolParametersAddress) Auction(_protocolParametersAddress){}
+    constructor(address _protocolParametersAddress) Auction(_protocolParametersAddress) {}
     mapping(uint256 => AuctionData) public auctions;
     struct AuctionData {
         uint256 id;
@@ -87,7 +87,22 @@ contract EnglishAuction is Auction {
             isClaimed: false,
             protocolFee: protocolParameters.fee()
         });
-        emit AuctionCreated(auctionCounter++, name, description, imgUrl, msg.sender, auctionType, auctionedToken, auctionedTokenIdOrAmount, biddingToken, minimumBid, minBidDelta, deadline, deadlineExtension, protocolParameters.fee());
+        emit AuctionCreated(
+            auctionCounter++,
+            name,
+            description,
+            imgUrl,
+            msg.sender,
+            auctionType,
+            auctionedToken,
+            auctionedTokenIdOrAmount,
+            biddingToken,
+            minimumBid,
+            minBidDelta,
+            deadline,
+            deadlineExtension,
+            protocolParameters.fee()
+        );
     }
 
     function bid(uint256 auctionId, uint256 bidAmount) external exists(auctionId) beforeDeadline(auctions[auctionId].deadline) {
@@ -114,14 +129,22 @@ contract EnglishAuction is Auction {
         uint256 fees = (auction.protocolFee * withdrawAmount) / 10000;
         address feeRecipient = protocolParameters.treasury();
         sendERC20(auction.biddingToken, auction.auctioneer, withdrawAmount - fees);
-        sendERC20(auction.biddingToken,feeRecipient,fees);
+        sendERC20(auction.biddingToken, feeRecipient, fees);
         emit Withdrawn(auctionId, withdrawAmount);
     }
 
     function claim(uint256 auctionId) external exists(auctionId) onlyAfterDeadline(auctions[auctionId].deadline) notClaimed(auctions[auctionId].isClaimed) {
         AuctionData storage auction = auctions[auctionId];
+
+        //  Verify NFT is properly escrowed
+        if (auction.auctionType == AuctionType.NFT) {
+            require(IERC721(auction.auctionedToken).ownerOf(auction.auctionedTokenIdOrAmount) == address(this), 'NFT not escrowed');
+        }
+
         auction.isClaimed = true;
+
         sendFunds(auction.auctionType == AuctionType.NFT, auction.auctionedToken, auction.winner, auction.auctionedTokenIdOrAmount);
+
         emit Claimed(auctionId, auction.winner, auction.auctionedToken, auction.auctionedTokenIdOrAmount);
     }
 }