Submission Details
Impact:
Likelihood:
CRITICAL ISSUE: Missing Approval Checks for NFT Transfers
Root + Impact
Description
Multiple functions call
transferFromwithout checking if the marketplace contract has approval to transfer the NFT, causing transactions to revert
function listNFT(uint256 tokenId, uint256 _minPrice, uint256 _buyNowPrice) external {
require(BBERC721.ownerOf(tokenId) == msg.sender, "Not the owner");
// Missing approval check
BBERC721.transferFrom(msg.sender, address(this), tokenId); // Will revert if not approved
}
Risk
Likelihood:
Every user attempting to list an NFT without prior approval will experience transaction failure
The contract assumes approval exists, but never verifies it
Users must know to approve the contract separately, which is not documented
Impact:
Contract becomes unusable for its primary function (listing NFTs)
Poor user experience with failed transactions
Gas costs wasted on failed transactions
Proof of Concept
function testListingFailsWithoutApproval() public {
vm.prank(owner);
uint256 tokenId = nft.mint(alice);
// Alice tries to list without approval
vm.prank(alice);
vm.expectRevert(); // Will revert due to lack of approval
marketplace.listNFT(tokenId, 0.1 ether, 0);
}
Recommended Mitigation
function listNFT(uint256 tokenId, uint256 _minPrice, uint256 _buyNowPrice) external {
require(BBERC721.ownerOf(tokenId) == msg.sender, "Not the owner");
+ require(BBERC721.getApproved(tokenId) == address(this) ||
+ BBERC721.isApprovedForAll(msg.sender, address(this)),
+ "Marketplace not approved");
require(_minPrice >= S_MIN_NFT_PRICE, "Min price too low");
// ... rest of function
}
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.