Submission Details
Impact:
Likelihood:
README Access Control Mismatch — `list()` Has `onlyWhitelisted` but Non-Whitelisted Users Should Be Able to List
Author Revealed upon completion
## Links
- `src/NFTDealers.sol:131` — `list()` with `onlyWhitelisted` modifier
- `README.md` — Specifies non-whitelisted users can list NFTs
## Vulnerability Details
The README states that non-whitelisted users should be able to call `list()`, `buy()`, `cancelListing()`, and `updatePrice()`. However, the `list()` function has the `onlyWhitelisted` modifier:
```solidity
// NFTDealers.sol:131
function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {
```
This blocks non-whitelisted users from listing their NFTs, contradicting the protocol's documented intended behavior. A user who obtained an NFT through `buy()` (which has no whitelist check) would be unable to re-list it for sale unless they are separately whitelisted by the owner.
## Impact
Non-whitelisted users who purchase NFTs through the marketplace are unable to re-sell them via the listing mechanism. This creates a one-directional market where only whitelisted users can sell, contradicting the protocol's design and reducing marketplace liquidity.
## Recommended Mitigation
Remove the `onlyWhitelisted` modifier from `list()`:
```diff
- function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {
+ function list(uint256 _tokenId, uint32 _price) external {
```
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.