Closed Oighty closed 2 months ago
A few over-arching issues/comments:
For purchases in the AtomicAuctionHouse, a purchase has a buyer (msg.sender), but can specify a different recipient.
_sendPayout()
on line 194 uses recipient value, but does not check if it is the zero address. Should probably make this consistent.Is there a need for "purchase on behalf of" with atomic purchases, along the same lines? e.g. with zapping, wouldn't msg.sender
of the call to AtomicAuctionHouse be the zapping contract? Even if the recipient were specified, if the auction lot has an allowlist that has recipient
, msg.sender
won't equal that and therefore won't be able to purchase. Or should recipient
be checked against the allowlist?
For the proposed changes, bidder
would need to be on a callback allowlist, not the msg.sender
, which seems correct.
For both bid and purchase, I think we need to document that the payment (quote tokens) will always be pulled from msg.sender
, regardless of the value of recipient
/bidder
.
For purchases in the AtomicAuctionHouse, a purchase has a buyer (msg.sender), but can specify a different recipient. The call to _sendPayout() on line 194 uses recipient value, but does not check if it is the zero address. Should probably make this consistent.
This is fixed.
Is there a need for "purchase on behalf of" with atomic purchases, along the same lines? e.g. with zapping, wouldn't msg.sender of the call to AtomicAuctionHouse be the zapping contract? Even if the recipient were specified, if the auction lot has an allowlist that has recipient, msg.sender won't equal that and therefore won't be able to purchase. Or should recipient be checked against the allowlist?
Also done.
Per discussion in this thread about "zapping" into auctions, I realized we had not added support to specify a recipient other than
msg.sender
in the BatchAuctionHouse even though this functionality is in the AtomicAuctionHouse. This is important for integrations with other systems, which may route user's bids for them. This doesn't work in the same way though since the payout is not sent in the same transaction. Instead, we have to make it so callers can "bid on behalf of" another address. The designated bidder then receives all refunds and payouts (they are the owner of the bid). If a bidder is not specified (address zero), then we assume the caller is the bidder.Tasks