Submission Details
Severity:
buyOutEstateNFT Will Not Burn the NFT Token
Summary
The buyOutEstateNFT function prematurely returns before updating the NFT token’s status, leading to a scenario where the user transfers funds but the NFT is not burned, effectively causing asset loss.
Vulnerability Details
Because of this line.
if (msg.sender == beneficiaries[i]) {
return;
} else {
The function will return after IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount) and before nft.burnEstate(_nftID);
function buyOutEstateNFT(uint256 _nftID) external onlyBeneficiaryWithIsInherited {
uint256 value = nftValue[_nftID];
uint256 divisor = beneficiaries.length;
uint256 multiplier = beneficiaries.length - 1;
uint256 finalAmount = (value / divisor) * multiplier;
IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount);
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
return; <- here
} else {
IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);
}
}
nft.burnEstate(_nftID);
}
Impact
The NFT token won’t be burned no matter how much the user paid.
Tools Used
Recommendations
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
- return;
+ continue;
} else {
IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);
}
}
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.