NFT Listing & Bid Storage Mismanagement ( Not deleting the settled nft's and unlisted nft's this can lead to contract storage bloat)
Root + Impact
Description
The placeBid function and NFT unlisting logic currently do not delete previous bid data or NFT listings from storage after the sale is completed or the NFT is unlisted. Although the bids[tokenId] struct is overwritten when a new bid is placed, previous bidder data remains in storage until overwritten. Additionally, listings[tokenId] persists even after an NFT is sold or unlisted, which can create confusion or consume unnecessary storage on-chain.
Impact:
Storage inefficiency: Old bid data and unlisted NFT listings occupy unnecessary storage, increasing gas costs for contract interactions.
Confusion: Users or auditors may see unlisted NFTs and assume they are still active.
Potential audit/red flag: Keeping outdated bids in storage can be flagged during audits as improper state management.
Proof of Concept
List an NFT and place a bid.
Sell the NFT via buy-now logic.
Observe that listings[tokenId] still exists and bids[tokenId] still contains previous bid information until overwritten.
Similarly, unlisting an NFT only sets listed = false but does not remove the listing or any previous bid data.
Recommended Mitigation
Consider implementing a separate historical record if keeping past bids or listings is required for analytics or audit purposes.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.