Submission Details
Impact:
Likelihood:
Payable Functions Permanently Lock Ether
Author Revealed upon completion
Payable Functions Permanently Lock Ether
Description
The NFTDealerscontract has two payable functions, mintNFTand buy. However, there is no possible way for Ether to leave the contract, via withdrawals etc. Therefore, any ether accidentally sent via these two functions is permanently lost.
// Root cause in the codebase with @> marks to highlight the relevant section
@> function mintNft() external payable onlyWhenRevealed onlyWhitelisted { ... }
@> function buy(uint256 _listingId) external payable { ... }
Risk
Likelihood:
This issue comes into play if a caller of one of the two payable functions actually includes ether.
Impact:
Ether sent to the contract is permanently locked.
Recommended Mitigation
The payable keyword should be removed from these two functions.
- function mintNft() external payable onlyWhenRevealed onlyWhitelisted { ... }
+ function mintNft() external onlyWhenRevealed onlyWhitelisted { ... }
- function buy(uint256 _listingId) external payable { ... }
+ function buy(uint256 _listingId) external { ... }
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.