`mintNft` and `buy` are unnecessarily marked `payable`, trapping any ETH sent
Links
-
src/NFTDealers.sol:118—mintNft()declaredpayable -
src/NFTDealers.sol:145—buy()declaredpayable
Vulnerability Details
Both mintNft and buy are marked payable despite only handling USDC (an ERC20 token) via transferFrom. The payable keyword is only needed for functions that accept native ETH via msg.value. Since these functions never use msg.value and the protocol operates entirely in USDC, the modifier serves no purpose.
If a user accidentally sends ETH with either call, the ETH is accepted by the contract. There is no withdraw or sweep function for ETH anywhere in the contract — only withdrawFees() which transfers USDC. Any ETH sent is permanently locked.
Impact
ETH accidentally sent to mintNft() or buy() is permanently stuck in the contract with no recovery mechanism. Removing payable would cause Solidity to automatically reject any ETH sent, protecting users from mistakes at zero cost.
Recommended Mitigation
Remove payable from both functions:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.