Core Contracts

Summary

The RAACNFT contract lacks a withdrawal mechanism for funds received from house sales (NFT minting), resulting in permanently locked ERC20 tokens in the contract.

Vulnerability Details

The RAACNFT contract implements a system where users can mint NFTs representing houses by paying with ERC20 tokens. When a user mints an NFT through the mint() function, they transfer tokens to the contract based on the house price:

The critical issue is that while the contract accepts payments for houses (in the form of ERC20 tokens), it provides no mechanism to withdraw these funds. This means:

1. The tokens received as payment are permanently locked in the contract

2. The original house owners cannot receive their payment for selling their properties

3. Even the contract owner has no way to access these funds

4. Each successful mint operation increases the amount of locked tokens

The absence of a withdrawal function means that all value transferred to the contract becomes permanently inaccessible, essentially creating a token burn mechanism rather than a proper payment system.

PoC

1. Alice wants to sell her house and lists it for 100,000 USDC

2. Bob mints the NFT by sending 100,000 USDC to the contract

3. Bob receives the NFT representing the house

4. The 100,000 USDC remains locked in the contract

5. Alice never receives payment for her house

6. This process repeats with each house sale, accumulating locked tokens

Impact

Critical loss of funds as all payments for house sales become permanently locked in the contract, making the protocol economically unfeasible and resulting in direct financial losses for house sellers.

Tools Used

Manual review

Recommendations

Implement mechanism to withdraw the funds.