NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium

Listing Cancel Refunds Use Collateral Instead of Purchase Price

Author Revealed upon completion

Root + Impact

Description

  • Normal behavior: Canceling a listing should refund the price paid by buyer or clear obligations, not refund mint collateral.

The current cancelListing() returns collateralForMinting to seller, which may not equal or correspond to the amount buyer paid, potentially allowing sellers to refund collateral while still holding proceeds.

// Root cause in NFTDealers.sol
// @> Cancel returns mint collateral, not business logic refund
usdc.safeTransfer(listing.seller, collateralForMinting[listing.tokenId]);

Risk

Likelihood:

  • Happens when a seller cancels an active listing.

No additional preconditions beyond valid listing.

Impact:

  • Seller regains collateral incorrectly.

Marketplace may become economically inconsistent.

Proof of Concept

// Seller lists NFT
dealers.list(tokenId, price);
// Seller cancels listing
dealers.cancelListing(tokenId);
// Seller gets mint collateral back (not sale funds)

Recommended Mitigation

  • Refund the actual price (if collected) or adjust logic:

- remove this code
+ add this code
- usdc.safeTransfer(listing.seller, collateralForMinting[listing.tokenId]);
+ usdc.safeTransfer(listing.seller, listing.price + collateralForMinting[listing.tokenId]);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!