NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Fee Extraction Logic Incorrectly Sends Fees Back to Contract Instead of Owner

Author Revealed upon completion

Root + Impact

Description

Normal behavior: When a sale occurs, the marketplace should collect fees and send them to the owner.

The current logic increments totalFeesCollected but during payout uses usdc.safeTransfer(address(this), fees) which returns fees to the contract itself, not to a protocol fee account.

// Root cause in NFTDealers.sol

// @> fees are credited to the contract on sell

usdc.safeTransfer(address(this), fees);

Risk

Likelihood:

Occurs on every sale transaction (buy) during normal marketplace use.

No role restriction or conditional path needed.

Impact:

Fees never leave the contract until explicitly withdrawn.

If withdrawFees() is misused or ownership is malicious/compromised, fees can be locked or withheld.

Proof of Concept

// Seller sells NFT

dealers.buy(listingId);

// fees stored in contract but not sent to owner directly

Recommended Mitigation

Move fee transfer to the owner at the point of sale:

- remove this code

+ add this code

- usdc.safeTransfer(address(this), fees);

+ usdc.safeTransfer(owner, fees);

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!