Use of transferFrom instead of safeTransferFrom for NFT transfers
Impact:
Medium — Direct NFT transfers to contracts that do not implement ERC721Receiver can fail silently, causing NFTs to be locked in the marketplace contract. This affects listings, unlisting, and auction settlements.
Likelihood:
Medium — Any seller or winner sending NFTs to a smart contract rather than an EOA can trigger this issue.
Scope (affected files):
src/BidBeastsNFTMarket.sollistNFT()unlistNFT()_executeSale()
Description (Root + Impact)
Normal behaviour:
NFTs should always be transferred safely, whether to sellers or auction winners, including when the recipient is a smart contract.
Issue:
The contract uses transferFrom for NFT transfers in multiple places, which does not check if the recipient contract can handle ERC721 tokens. NFTs sent to incompatible contracts may get irreversibly locked.
Root cause:
Why this matters:
NFTs sent to contracts without ERC721 receiver support cannot be recovered.
Marketplace UX suffers, and users may permanently lose access to their tokens.
Risk
Reason 1: Any unlisting or auction settlement to a contract address can lock NFTs.
Reason 2: Users unaware of ERC721Receiver limitations cannot retrieve locked assets.
Impact:
Permanent NFT loss for users.
Trust and reputation risk for the platform.
Recommended Mitigation
Lead Judging Commences
BidBeasts Marketplace: Risk of Locked NFTs
Non-safe transferFrom calls can send NFTs to non-compliant contracts, potentially locking them permanently.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.