Trick or Treat

Summary

The SpookySwap contract allows users to transfer NFTs using transferFrom or safeTransferFrom, but lacks a dedicated trading function that supports payments. According to the project description, users should be able to "trade NFTs with others," implying that a full trade—receiving ETH or another asset in exchange—should be possible. The absence of this functionality may lead to user confusion and reliance on external methods for trades, potentially compromising security.

Vulnerability Details

Currently, users can transfer NFTs they’ve purchased to other users using standard ERC721 transfer functions. However, these functions do not support receiving ETH or any other payment in return. This is inconsistent with the documented intent of allowing users to "trade" NFTs, which implies an exchange. As a result, users expecting a direct exchange within the contract may unknowingly transfer their NFTs without receiving payment, or may turn to third-party platforms, which could introduce additional security risks.

Impact

• Lack of Payment Functionality in Trades: Users cannot receive ETH or other assets within the contract itself, limiting trading options and functionality.

• User Confusion: The difference between the documentation and functionality could mislead users, resulting in unexpected losses.

• Dependency on External Platforms: Users may rely on external marketplaces or manual transfers, exposing them to security risks and additional transaction fees.

Tools Used

Manual Review

Recommendations:

implement a dedicated trade function within the contract. This function should allow users to:

• List NFTs for sale at a specific price.

• Allow other users to pay the listed price in ETH, triggering the NFT transfer to the buyer automatically.