Description:

The marketplace contract is vulnerable to frontrunning attacks where malicious actors can monitor the mempool for unlistNFT() transactions and force unwilling sales by frontrunning with buyNowPrice purchases. When a seller decides to unlist their NFT (due to changed market conditions, personal reasons, or pricing errors), attackers can observe the pending unlisting transaction in the public mempool and submit a purchase transaction with higher gas fees to execute first. This forces the seller to complete a sale they no longer want to make at potentially unfavorable terms.

Attack path:

1. Seller lists NFT with minPrice and buyNowPrice set (e.g., 1 ETH each)

2. Market conditions change or seller changes mind and calls unlistNFT(tokenId)

3. Attacker monitors mempool and detects the unlisting transaction

4. Attacker immediately submits placeBid(tokenId) with msg.value >= buyNowPrice and higher gas price

5. Attacker's purchase transaction executes first due to higher gas fees

6. NFT is sold to attacker via buy-now mechanism before unlisting can occur

7. Seller's subsequent unlistNFT() transaction fails because NFT is no longer listed

8. Seller is forced to complete unwanted sale, potentially at below-market price

Impact:

Sellers cannot reliably withdraw their NFTs from the market when circumstances change

Attackers can acquire NFTs at stale prices when market conditions have improved

Sellers may be forced to sell at prices below current market value

Recommended Mitigation:

Implement a commit-reveal scheme for unlisting operations to prevent frontrunning by hiding the seller's intention until execution