NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Inconsistent Access Control Pattern — `cancelListing` Uses Inline `require` Instead of `onlySeller` Modifier

auditor_nate

Vulnerability Details

The cancelListing function performs the seller authorization check via an inline require statement:

// NFTDealers.sol:164

require(listing.seller == msg.sender, "Only seller can cancel listing");

Meanwhile, collectUsdcFromSelling and updatePrice use the dedicated onlySeller modifier for the same check:

// NFTDealers.sol:76-79

modifier onlySeller(uint256 _listingId) {

require(s_listings[_listingId].seller == msg.sender, "Only seller can call this function");

}

Both approaches are functionally equivalent, but the inconsistency means that if the seller authorization logic ever needs to change, cancelListing would need to be updated separately. The modifier exists specifically to centralize this check.

Impact

No direct security impact — the protection is functionally identical. However, the inconsistency reduces code maintainability and increases the risk of divergent behavior if the seller check logic is updated in the modifier but not in the inline require.

Recommended Mitigation

Replace the inline require with the onlySeller modifier:

- function cancelListing(uint256 _listingId) external {

- Listing memory listing = s_listings[_listingId];

- if (!listing.isActive) revert ListingNotActive(_listingId);

- require(listing.seller == msg.sender, "Only seller can cancel listing");

+ function cancelListing(uint256 _listingId) external onlySeller(_listingId) {

+ Listing memory listing = s_listings[_listingId];

+ if (!listing.isActive) revert ListingNotActive(_listingId);

Updates

Lead Judging Commences

rubik0n Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

info

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.