Submission Details
Severity:
Tokens are stuck in RAACNFT.sol
Summary
Tokens paid to mint RAACNFTs are stuck in the contract.
Vulnerability Details
Users can participate in RAAC by minting NFTs that represent RWA, in order to mint an NFT they have to pay a price:
function mint(uint256 _tokenId, uint256 _amount) public override {
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if(price == 0) { revert RAACNFT__HousePrice(); }
if(price > _amount) { revert RAACNFT__InsufficientFundsMint(); }
// transfer erc20 from user to contract - requires pre-approval from user
token.safeTransferFrom(msg.sender, address(this), _amount);
// mint tokenId to user
_safeMint(msg.sender, _tokenId);
// If user approved more than necessary, refund the difference
if (_amount > price) {
uint256 refundAmount = _amount - price;
token.safeTransfer(msg.sender, refundAmount);
}
emit NFTMinted(msg.sender, _tokenId, price);
}
The issue is that tokens paid by users are irreversibly stuck in this contract.
Impact
Funds paid for RAACNFTs become stuck.
Recommendations
Introduce the functionality to use these funds for the protocol.
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.