Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Test Suite Bug: Test Attempts to List Non-Existent NFT

pxlvre

High: Test Attempts to List Non-Existent NFT

Description

The test_fail_listNFT_notOwner() test is designed to verify that non-owners cannot list NFTs for sale.
The test attempts to list token ID 0 without first minting it, causing the test to fail with ERC721NonexistentToken error instead of the expected "Not the owner" error.

function test_fail_listNFT_notOwner() public {

vm.prank(BIDDER_1);

vm.expectRevert("Not the owner");

market.listNFT(TOKEN_ID, MIN_PRICE, BUY_NOW_PRICE); // @> TOKEN_ID (0) was never minted!

}

Risk

Likelihood:

Test fails 100% of the time in current state
Prevents proper validation of ownership checks

Impact:

False test failures mask actual contract behavior
Cannot verify if ownership validation works correctly
May hide actual vulnerabilities in ownership checks
Reduces confidence in test suite reliability

Proof of Concept

The test execution trace shows the actual error differs from expected:

[FAIL: Error != expected error: ERC721NonexistentToken(0) != Not the owner]

├─ [8822] BidBeastsNFTMarket::listNFT(0, 1e18, 5e18)

│ ├─ [3017] BidBeasts::ownerOf(0) [staticcall]

│ │ └─ ← [Revert] ERC721NonexistentToken(0) // Token doesn't exist

│ └─ ← [Revert] ERC721NonexistentToken(0)

└─ ← [Revert] Error != expected error

Recommended Mitigation

Mint an NFT to a different address before attempting to list it from an unauthorized account:

function test_fail_listNFT_notOwner() public {

+ // First mint an NFT to SELLER

+ vm.prank(OWNER);

+ nft.mint(SELLER);

+ // Now try to list it from BIDDER_1 (who doesn't own it)

vm.prank(BIDDER_1);

vm.expectRevert("Not the owner");

market.listNFT(TOKEN_ID, MIN_PRICE, BUY_NOW_PRICE);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 22 days ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.