NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

NFT Owners can still transfer NFTs after listing

Author Revealed upon completion

Root + Impact

Description

A seller can transfer their NFTs even after listing them on the marketplace.

Impact

After NFT transfers, the NFT owner no longer matches with the listing's seller address. As a result, the buyer would not be able to complete the purchase because the internal _safeTransfer() method would fail, because of owner address mismatch.

Proof of Concept

function testBuyNftAfterTransfer() public {
uint256 tokenId = 1;
uint256 nftPrice = 1000e6;
mintNFTForTesting();
vm.startBroadcast(userWithCash);
nftDealers.list(tokenId, uint32(nftPrice));
vm.stopBroadcast();
// transfers NFT to Preston after listing
vm.prank(userWithCash);
nftDealers.safeTransferFrom(userWithCash, preston, tokenId);
// check ownership
assertEq(nftDealers.ownerOf(tokenId), preston);
// userWithEvenMoreCash tries to buy the NFT
// fails at _safeTransfer()
vm.startBroadcast(userWithEvenMoreCash);
usdc.approve(address(nftDealers), nftPrice);
vm.expectRevert();
nftDealers.buy(1);
vm.stopBroadcast();
}

Recommended Mitigation

The contract should possess the NFT after listing, e.g. transfer from the owner to address(this).

If the sale had gone through, then the NFT transfer goes to the buyer from the contract. Otherwise, goes back the owner when they cancel the listing.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!