NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Fee Extraction Logic Incorrectly Sends Fees Back to Contract Instead of Owner

pushprakash23

Root + Impact

Description

  • Normal behavior: When a sale occurs, the marketplace should collect fees and send them to the owner.

The current logic increments totalFeesCollected but during payout uses usdc.safeTransfer(address(this), fees) which returns fees to the contract itself, not to a protocol fee account.

// Root cause in NFTDealers.sol
// @> fees are credited to the contract on sell
usdc.safeTransfer(address(this), fees);

Risk

Likelihood:

  • Occurs on every sale transaction (buy) during normal marketplace use.

No role restriction or conditional path needed.

Impact:

  • Fees never leave the contract until explicitly withdrawn.

If withdrawFees() is misused or ownership is malicious/compromised, fees can be locked or withheld.

Proof of Concept

// Seller sells NFT
dealers.buy(listingId);
// fees stored in contract but not sent to owner directly

Recommended Mitigation

  • Move fee transfer to the owner at the point of sale:

- remove this code
+ add this code
- usdc.safeTransfer(address(this), fees);
+ usdc.safeTransfer(owner, fees);
Updates

Lead Judging Commences

rubik0n Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!