Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Incomplete Test Coverage on listNFT

chobby

Root + Impact

Description

Normal behavior: The listNFT function should only allow the token’s owner to list it for auction. Non-owners attempting to list should revert with "Not the owner".
Issue: In the test test_fail_listNFT_notOwner, the token is never minted before the listing attempt. This results in a revert from the ERC721 implementation (ERC721NonexistentToken(tokenId)) rather than the intended "Not the owner" error.

// In test file

// No minting step before attempting to list

@> vm.prank(NOT_OWNER);

@> market.listNFT(TOKEN_ID, MIN_PRICE, 0);

Risk

Likelihood:

This issue will always occur in the test case because the token is not minted before calling listNFT.

Impact:

False negatives: Developers may incorrectly believe ownership logic is broken.
Reduced confidence: Misaligned tests make debugging harder and reduce trust in test coverage.

Proof of Concept

function test_fail_listNFT_notOwner() public {

// Missing: nft.mint(TOKEN_ID)

vm.prank(NOT_OWNER);

vm.expectRevert("Not the owner");

market.listNFT(TOKEN_ID, MIN_PRICE, 0);

// Actual revert: ERC721NonexistentToken(tokenId)

}

Explanation:
Without minting, the token doesn’t exist, so the function reverts early. The test therefore, never validates the "Not the owner" path.

Recommended Mitigation

Explanation:
Update the test to mint the token before attempting to list it as a non-owner. This ensures the test case is aligned with expected contract behavior.

Fix:

nft.mint(OWNER, TOKEN_ID);

vm.prank(NOT_OWNER);

vm.expectRevert("Not the owner");

market.listNFT(TOKEN_ID, MIN_PRICE, 0);

This validates the true ownership restriction logic rather than an unrelated ERC721 revert.

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.