Redundant Self-Transfer of Fees in collectUsdcFromSelling
Root + Impact
Description
-
Normal Behavior: When a seller collects their funds, the protocol should calculate the fee, update the
totalFeesCollectedaccumulator, and send the remaining balance to the seller. The fees should simply remain in the contract's balance until the owner withdraws them.
-
Specific Issue: The contract explicitly calls
usdc.safeTransfer(address(this), fees). Since the USDC is already held by theNFTDealerscontract (deposited by the buyer during thebuyfunction), transferring it to itself is redundant.
Risk
Likelihood: High
Reason 1: This line is reached in every successful execution of the collection logic.
Impact: Low (Gas)
Impact 1: Wasted Gas. Each call to
safeTransfertriggers an external call to the USDC contract, which performs balance checks, updates mapping slots, and emits aTransferevent. This costs approximately 5,000–10,000 gas per call.Impact 2: Log Noise. It emits unnecessary
Transferevents fromNFTDealerstoNFTDealers, cluttering off-chain indexers.
Proof of Concept
Recommended Mitigation
Remove the self-transfer line entirely. The accounting is already handled by the totalFeesCollected += fees; statement.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.