`collectUsdcFromSelling` performs no-op self-transfer and inflates `totalFeesCollected`
Links
-
src/NFTDealers.sol:186—usdc.safeTransfer(address(this), fees)— self-transfer -
src/NFTDealers.sol:184—totalFeesCollected += fees
Vulnerability Details
In collectUsdcFromSelling, the line usdc.safeTransfer(address(this), fees) transfers USDC from the contract to itself — a no-op that wastes gas and achieves nothing. The USDC leaves the contract's balance and arrives back at the same balance. Net movement: zero.
Additionally, since collectUsdcFromSelling can be called repeatedly (see Critical-01), totalFeesCollected += fees runs on every call, inflating the fee accounting with phantom values that don't correspond to any real fee revenue. The contract records fees that were never actually earned from unique sales.
Impact
Gas is wasted on every collectUsdcFromSelling call for a transfer that achieves nothing. The totalFeesCollected state variable becomes unreliable as a source of truth for actual fee revenue, as it can be inflated through repeated calls. The self-transfer was likely intended to separate fee funds from seller funds, but ERC20 balances don't work that way — a contract has a single USDC balance, not separate internal accounts.
Recommended Mitigation
Remove the no-op self-transfer:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.