Omniscia Seen Haus Audit
AuctionEnderFacet Manual Review Findings
AuctionEnderFacet Manual Review Findings
AEF-01M: Potentially Incorrect Physical Ticket Workflow
Type | Severity | Location |
---|---|---|
Logical Fault | Minor | AuctionEnderFacet.sol:L100 |
Description:
The closeAuction
system for physical items issues a ticket to the buyer that can then be immediately redeemed for the NFT as the ItemsTicketer
contract does not apply any access control on the claim
function.
Example:
contracts/market/handlers/facets/AuctionEnderFacet.sol
94// Determine if consignment is physical95address nft = getMarketController().getNft();96if (nft == consignment.tokenAddress && ISeenHausNFT(nft).isPhysical(consignment.tokenId)) {97
98 // For physicals, issue an escrow ticket to the buyer99 address escrowTicketer = getMarketController().getEscrowTicketer(_consignmentId);100 IEscrowTicketer(escrowTicketer).issueTicket(_consignmentId, 1, auction.buyer);101
102} else {
Recommendation:
We advise the ticket to either be claimable only by validation of the escrow agent (to ensure the user has received the physical item) or the workflow to be adjusted instead as it currently does not appear to guarantee proper acquisition of the physical portion of the NFT.
Alleviation:
After discussion with the Seen Haus team we concluded that this is indeed intended functionality as a claim is meant to represent a request for physical shipment rather than a claim of the physical item. As a result, we consider this exhibit null.