Submission Details
Severity:
NFT Owners can still transfer NFTs after listing
Root + Impact
Description
A seller can transfer their NFTs even after listing them on the marketplace.
Impact
After NFT transfers, the NFT owner no longer matches with the listing's seller address. As a result, the buyer would not be able to complete the purchase because the internal _safeTransfer() method would fail, because of owner address mismatch.
Proof of Concept
function testBuyNftAfterTransfer() public {
uint256 tokenId = 1;
uint256 nftPrice = 1000e6;
mintNFTForTesting();
vm.startBroadcast(userWithCash);
nftDealers.list(tokenId, uint32(nftPrice));
vm.stopBroadcast();
// transfers NFT to Preston after listing
vm.prank(userWithCash);
nftDealers.safeTransferFrom(userWithCash, preston, tokenId);
// check ownership
assertEq(nftDealers.ownerOf(tokenId), preston);
// userWithEvenMoreCash tries to buy the NFT
// fails at _safeTransfer()
vm.startBroadcast(userWithEvenMoreCash);
usdc.approve(address(nftDealers), nftPrice);
vm.expectRevert();
nftDealers.buy(1);
vm.stopBroadcast();
}
Recommended Mitigation
The contract should possess the NFT after listing, e.g. transfer from the owner to address(this).
If the sale had gone through, then the NFT transfer goes to the buyer from the contract. Otherwise, goes back the owner when they cancel the listing.
Updates
Lead Judging Commences
rubik0n 16 days ago
Submission Judgement Published Assigned finding tags:
nft-ownership-not-transfered
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.