NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

NFT Dealers Audit Report

Author Revealed upon completion

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

## High

### H-1: Reentrancy: State change after external call

Changing state after an external call can lead to re-entrancy attacks.

**Mitigation:** Use the checks-effects-interactions pattern to avoid this issue.

<details><summary>2 Found Instances</summary>

- Found in src/NFTDealers.sol [Line: 119]()

State is changed at: `tokenIdCounter++`, `collateralForMinting[tokenIdCounter] = lockAmount`

```solidity

require(usdc.transferFrom(msg.sender, address(this), lockAmount), "USDC transfer failed");

```

- Found in src/NFTDealers.sol [Line: 148]()

State is changed at: `s_listings[_listingId].isActive = false`

```solidity

bool success = usdc.transferFrom(msg.sender, address(this), listing.price);

```

</details>

### H-2: PUSH0 Opcode

Solc compiler version 0.8.20 switches the default target EVM version to Shanghai, which means that the generated bytecode will include PUSH0 opcodes. Be sure to select the appropriate EVM version in case you intend to deploy on a chain other than mainnet like L2 chains that may not support PUSH0, otherwise deployment of your contracts will fail.

<details><summary>2 Found Instances</summary>

- Found in src/MockUSDC.sol [Line: 2]()

```solidity

pragma solidity ^0.8.34;

```

- Found in src/NFTDealers.sol [Line: 2]()

```solidity

pragma solidity ^0.8.34;

```

</details>

## Low

### L-1: Local Variable Shadows State Variable

Rename the local variable that shadows another state variable.

<details><summary>1 Found Instances</summary>

- Found in src/NFTDealers.sol [Line: 86]()

```solidity

string memory _symbol,

```

</details>

### L-2: Missing zero address validation

**Description:**

Detect missing zero address validation.

```javascript

// @audit missing-zero-check

owner = _owner;

```

### L-3: Unspecific Solidity Pragma

Consider using a specific version of Solidity in your contracts instead of a wide version. For example, instead of `pragma solidity ^0.8.0;`, use `pragma solidity 0.8.0;`

<details><summary>2 Found Instances</summary>

- Found in src/MockUSDC.sol [Line: 2]()

```solidity

pragma solidity ^0.8.34;

```

- Found in src/NFTDealers.sol [Line: 2]()

```solidity

pragma solidity ^0.8.34;

```

</details>

### L-4: Unused Import

Redundant import statement. Consider removing it.

<details><summary>1 Found Instances</summary>

- Found in src/NFTDealers.sol [Line: 6]()

```solidity

import {Base64} from "@openzeppelin/contracts/utils/Base64.sol";

```

</details>

### L-5: State Variable Could Be Immutable

State variables that are only changed in the constructor should be declared immutable to save gas. Add the `immutable` attribute to state variables that are only changed in the constructor

<details><summary>4 Found Instances</summary>

- Found in src/NFTDealers.sol [Line: 36]()

```solidity

string private collectionImage;

```

- Found in src/NFTDealers.sol [Line: 38]()

```solidity

address public owner;

```

- Found in src/NFTDealers.sol [Line: 39]()

```solidity

string public collectionName;

```

- Found in src/NFTDealers.sol [Line: 40]()

```solidity

string public tokenSymbol;

```

</details>

### L-6: State Change Without Event

There are state variable changes in this function but no event is emitted. Consider emitting an event to enable offchain indexers to track the changes.

<details><summary>4 Found Instances</summary>

- Found in src/NFTDealers.sol [Line: 98]()

```solidity

function revealCollection() external onlyOwner {

```

- Found in src/NFTDealers.sol [Line: 102]()

```solidity

function whitelistWallet(address _wallet) external onlyOwner {

```

- Found in src/NFTDealers.sol [Line: 106]()

```solidity

function removeWhitelistedWallet(address _wallet) external onlyOwner {

```

- Found in src/NFTDealers.sol [Line: 171]()

```solidity

function collectUsdcFromSelling(uint256 _listingId) external onlySeller(_listingId) {

```

</details>

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

Recommended Mitigation

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!