Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

[M-3]Gas Waste and Data Corruption Risk Due to Incomplete Listing Cleanup in _executeSale

bababoyi

Root + Impact

Description

Normally, after an NFT auction or direct purchase is completed, the contract should clear the listing record for the given tokenId to prevent redundant storage and future logic misinterpretation.
However, in _executeSale, the code only sets listing.listed = false; without fully deleting listings[tokenId]. As a result, fields such as seller, minPrice, buyNowPrice, and auctionEnd remain in storage.

// Root cause in the codebase with @> marks to highlight the relevant section

function _executeSale(uint256 tokenId) internal {

Listing storage listing = listings[tokenId];

...

- listing.listed = false; //@> Only flag updated, record not fully deleted

delete bids[tokenId];

...

}

Risk

Likelihood:

Whenever a sale or auction settlement is executed, old listing data remains stored

Impact:

Residual fields (seller, prices, auctionEnd) may be misused by future logic or cause confusion in analytics/monitoring.

Proof of Concept

For example, after a successful sale, calling getListing(tokenId) still returns non-zero seller/minPrice/buyNowPrice values, with only listed=false. If future code or frontends mistakenly rely on these fields, it may wrongly interpret the NFT as being actively listed.

// After executeSale

(bool listed, address seller, uint256 minPrice, uint256 buyNowPrice, uint256 auctionEnd)

= market.getListing(tokenId);

// listed == false but seller != address(0), minPrice != 0, etc.

Recommended Mitigation

After _executeSale completes, fully delete the listing record to free storage and ensure no future misuse of stale fields.

function _executeSale(uint256 tokenId) internal {

Listing storage listing = listings[tokenId];

...

listing.listed = false;

+ delete listings[tokenId]; // ✅ Fully clear storage for this tokenId

delete bids[tokenId];

...

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!