Description: The MartenitsaMarketplace::listMartenitsaForSale
function doesn't transfer the listed tokens from the seller
to the contract. Because of this, a seller
can list a token for sale, and then transfer it to a different address. If they don't cancel the listing, the buyer
will think that this is a legitimate listing. When they will try to buy this particular token, they will get a failed transaction because the safeTransferFrom
inside MartenitsaMarketplace::buyMartenitsa
will fail.
Impact: Buyers will incur gas fee losses and keep getting failed transactions for what they deem as being a valid listing.
Proof of Concepts: Paste this test inside MartenitsaMarketplace.t.sol
file and run it with the forge test --mt testBuyMartenitsaAfterTransfer -vvv
command in order to see the logs. You will see that Chasy is able to transfer the token to Jack after listing it, and when Bob calls the buyMartenitsa
function, the function will revert once it reaches the safeTransferFrom
line of code because Chasy is not holding the token anymore.
Test output
Recommended mitigation: When listing the token this should be transferred from the seller to the Marketplace contract in order to prevent sellers from transferring them out before the actual sale or before they cancel their listing.
Tools used: Manual review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.