First Flight #13: Baba Marta

Summary

The listMartenitsaForSale function in the MartenitsaMarketplace.sol contract lacks a mechanism for users to delist their NFTs (non-fungible tokens) by setting the forSale flag to false. Currently, the function hardcodes the forSale flag to true when listing an NFT for sale, and there is no explicit way for users to remove their NFTs from the marketplace.

Vulnerability Details

The vulnerability arises from the absence of a dedicated function for users to delist their NFTs. Once an NFT is listed for sale using the listMartenitsaForSale function, it remains listed indefinitely, with no option for the owner to remove it from the marketplace. This lack of control over listings can lead to a cluttered marketplace and may result in an undesirable user experience.

Impact

The impact of this vulnerability is primarily on user experience and marketplace management. Without the ability to delist NFTs, users may have limited control over their listings, leading to potential frustration and confusion. Additionally, a cluttered marketplace with outdated or unwanted listings can diminish the overall usability and attractiveness of the platform.

Tools Used

manual code review.

Recommendations

To address this vulnerability and enhance user control over their listings, it is recommended to implement a separate function that allows users to delist their NFTs from the marketplace. This function should update the forSale flag to false and remove the NFT from the tokenIdToListing mapping. Additionally, consider implementing access controls to ensure that only the owner of the NFT can delist it.

Example Fix:

By implementing this fix, users regain control over their listings and can remove their NFTs from the marketplace as needed, enhancing the overall usability and user experience of the platform.