User Can Transfer Tokens Directly to Contract, Causing Stuck NFTs and DoS
Description
The issue arises when a user intentionally / accidentally transfers their ERC20 tokens directly to the contract address instead of using the designated sellErc20 function. This action can result in those tokens becoming stuck in the contract, leading to a Denial of Service (DoS) scenario where the tokens cannot be retrieved or utilized as intended. Since the contract does not have a mechanism to handle such direct transfers, these tokens remain inaccessible.
This can also be an issue when a user refuses to cooperate and intentionally never releases their tokens to allow the proper functioning of the protocol or has accidentally sent their tokens to an unrecoverable address.
Impact
The NFT associated with the token remains locked in the contract forever
Tools Used
Manual Review
Recommendations
To handle the transfers directly to the contract address we can implement a function to handle tokens received by the contract by selling them to buyers for a fixed price (0.1 ether for example)
To handle mishandled erc20 tokens we can create a privileged
onlyOwnerfunction to release a locked NFT to ensure the NFT doesn't remain locked in the contract forever and delete the erc20 token mapped to the NFT
Lead Judging Commences
Transfer ERC20ToGenerateNftFraccion separately to the contract
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.