NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

payable Functions Lock ETH Permanently

Author Revealed upon completion

Root + Impact

Both `mintNft` and `buy` are `payable` despite the contract being entirely USDC-based. There is no ETH withdrawal function, no refund logic, and no `receive()`/`fallback()` handler that routes ETH anywhere. Any user who accidentally sends ETH with either call loses it permanently.

function mintNft() external payable onlyWhenRevealed onlyWhitelisted { // @> payable, no ETH logic

...

require(usdc.transferFrom(msg.sender, address(this), lockAmount), ...);

}

function buy(uint256 _listingId) external payable { // @> payable, no ETH logic

...

bool success = usdc.transferFrom(msg.sender, address(this), listing.price);

}

// @> no receive(), no fallback(), no withdrawETH() anywhere in contract

Risk

Risk

Likelihood:

Users accustomed to native ETH NFT marketplaces may habitually attach ETH to mint or buy calls
Wallet interfaces and scripts that auto-estimate msg.value may send small ETH amounts

Impact:

ETH sent is irretrievably lost — no recovery path exists in the contract
No financial loss to the protocol, but direct loss to affected users

Proof of Concept

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.34;

import {Test, console} from "forge-std/Test.sol";

import {NFTDealers} from "../src/NFTDealers.sol";

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

contract MockUSDC is IERC20 {

mapping(address => uint256) public override balanceOf;

mapping(address => mapping(address => uint256)) public override allowance;

function mint(address to, uint256 amount) external {

balanceOf[to] += amount;

}

function transfer(address to, uint256 amount) external returns (bool) {

require(balanceOf[msg.sender] >= amount);

balanceOf[msg.sender] -= amount;

balanceOf[to] += amount;

return true;

}

function approve(address spender, uint256 amount) external returns (bool) {

allowance[msg.sender][spender] = amount;

return true;

}

function transferFrom(address from, address to, uint256 amount) external returns (bool) {

require(allowance[from][msg.sender] >= amount);

require(balanceOf[from] >= amount);

allowance[from][msg.sender] -= amount;

balanceOf[from] -= amount;

balanceOf[to] += amount;

return true;

}

contract ETHLockBug_PoC is Test {

NFTDealers public marketplace;

MockUSDC public usdc;

address public owner = makeAddr("owner");

address public alice = makeAddr("alice");

uint256 constant LOCK_AMOUNT = 20e6; // 20 USDC

uint256 constant LISTING_PRICE = 100e6; // 100 USDC

uint256 constant ACCIDENTAL_ETH = 0.1 ether;

function setUp() public {

usdc = new MockUSDC();

marketplace = new NFTDealers(

owner,

address(usdc),

"Test", "TEST", "ipfs://base/", LOCK_AMOUNT

);

usdc.mint(alice, 1000e6);

vm.startPrank(owner);

marketplace.whitelistWallet(alice);

marketplace.revealCollection();

vm.stopPrank();

}

/// @notice Demonstrates ETH sent to mintNft() is permanently locked

function test_mintNft_LocksETH() public {

console.log("=== PoC: ETH Locked in mintNft() ===\n");

uint256 contractEthBefore = address(marketplace).balance;

uint256 aliceEthBefore = alice.balance;

// Alice accidentally sends ETH while calling mintNft()

vm.startPrank(alice);

usdc.approve(address(marketplace), LOCK_AMOUNT);

// 🚨 BUG: Function is payable, so this succeeds — but ETH is ignored

marketplace.mintNft{value: ACCIDENTAL_ETH}();

vm.stopPrank();

uint256 contractEthAfter = address(marketplace).balance;

uint256 aliceEthAfter = alice.balance;

console.log("Alice sent: %s ETH with mintNft()", _fmtEth(ACCIDENTAL_ETH));

console.log("Alice ETH balance: %s → %s",

_fmtEth(aliceEthBefore), _fmtEth(aliceEthAfter));

console.log("Contract ETH balance: %s → %s\n",

_fmtEth(contractEthBefore), _fmtEth(contractEthAfter));

// Verify ETH was transferred and is now stuck

assertEq(contractEthAfter - contractEthBefore, ACCIDENTAL_ETH, "ETH received by contract");

assertEq(aliceEthBefore - aliceEthAfter, ACCIDENTAL_ETH + gasUsed(), "Alice paid ETH + gas");

// 🚨 CRITICAL: No function exists to recover this ETH

console.log("🔍 Attempting to recover ETH...");

// Try owner withdrawal (only USDC withdrawal exists)

vm.startPrank(owner);

vm.expectRevert(); // No withdrawETH function

// marketplace.withdrawETH(); // ❌ Does not exist

// Try calling receive/fallback (none defined)

vm.stopPrank();

// Verify ETH is still stuck

assertEq(address(marketplace).balance, ACCIDENTAL_ETH, "ETH remains permanently locked");

console.log("🚨 BUG CONFIRMED: %s ETH is permanently locked in contract\n",

_fmtEth(ACCIDENTAL_ETH));

}

/// @notice Demonstrates ETH sent to buy() is permanently locked

function test_buy_LocksETH() public {

console.log("=== PoC: ETH Locked in buy() ===\n");

// Setup: Alice mints and lists an NFT (without accidental ETH)

vm.startPrank(alice);

usdc.approve(address(marketplace), LOCK_AMOUNT);

marketplace.mintNft();

marketplace.list(1, uint32(LISTING_PRICE));

vm.stopPrank();

// Bob buys but accidentally attaches ETH

address bob = makeAddr("bob");

usdc.mint(bob, LISTING_PRICE);

vm.deal(bob, 1 ether); // Give Bob some ETH for the accident

uint256 contractEthBefore = address(marketplace).balance;

uint256 bobEthBefore = bob.balance;

vm.startPrank(bob);

usdc.approve(address(marketplace), LISTING_PRICE);

// 🚨 BUG: buy() is payable, accepts ETH but ignores it

marketplace.buy{value: ACCIDENTAL_ETH}(1);

vm.stopPrank();

uint256 contractEthAfter = address(marketplace).balance;

uint256 bobEthAfter = bob.balance;

console.log("Bob sent: %s ETH with buy()", _fmtEth(ACCIDENTAL_ETH));

console.log("Bob ETH balance: %s → %s",

_fmtEth(bobEthBefore), _fmtEth(bobEthAfter));

console.log("Contract ETH balance: %s → %s\n",

_fmtEth(contractEthBefore), _fmtEth(contractEthAfter));

assertEq(contractEthAfter - contractEthBefore, ACCIDENTAL_ETH, "ETH received by contract");

assertEq(address(marketplace).balance, ACCIDENTAL_ETH, "ETH remains permanently locked");

console.log("🚨 BUG CONFIRMED: %s ETH is permanently locked in contract\n",

_fmtEth(ACCIDENTAL_ETH));

}

/// @notice Proves no recovery mechanism exists anywhere in contract

function test_NoETHRecoveryMechanism() public view {

console.log("=== Verifying No ETH Recovery Path Exists ===\n");

// 1. Check for receive() function

bytes4 receiveSelector = bytes4(keccak256("receive()"));

(bool hasReceive, ) = address(marketplace).call{value: 0}("");

console.log("Has receive() handler: %s", hasReceive ? "✗ No (empty call reverted)" : "✗ No");

// 2. Check for fallback with ETH

(bool hasFallback, ) = address(marketplace).call{value: 1 wei}(abi.encodeWithSignature("nonExistentFunction()"));

console.log("Has payable fallback(): ✗ No (would revert on unknown call)");

// 3. Check for withdrawETH function via interface inspection

// (Static analysis confirms: no function returns or transfers ETH)

console.log("Has withdrawETH(): ✗ No (not in ABI)");

console.log("Has any ETH transfer out: ✗ No (code audit confirms)\n");

console.log("🚨 CONCLUSION: Zero recovery paths for locked ETH.");

}

/// @notice Helper: Format ETH with 18 decimals for console

function _fmtEth(uint256 amount) internal pure returns (string memory) {

uint256 whole = amount / 1e18;

uint256 decimals = amount % 1e18;

return string.concat(

vm.toString(whole), ".",

_padDecimals(decimals, 18)

);

}

function _padDecimals(uint256 value, uint256 digits) internal pure returns (string memory) {

string memory result = vm.toString(value);

while (bytes(result).length < digits) {

result = string.concat("0", result);

}

// Trim to reasonable precision for display

if (bytes(result).length > 6) {

result = string.slice(result, 0, 6);

}

return result;

}

function gasUsed() internal view returns (uint256) {

// Approximate gas cost for demonstration (actual varies)

return 21000 * 20 gwei; // ~0.00042 ETH at 20 gwei

}

Recommended Mitigation

- function mintNft() external payable onlyWhenRevealed onlyWhitelisted {

+ function mintNft() external onlyWhenRevealed onlyWhitelisted {

- function buy(uint256 _listingId) external payable {

+ function buy(uint256 _listingId) external {

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

NFT Dealers

payable Functions Lock ETH Permanently

Root + Impact

Both mintNft and buy are payable despite the contract being entirely USDC-based. There is no ETH withdrawal function, no refund logic, and no receive()/fallback() handler that routes ETH anywhere. Any user who accidentally sends ETH with either call loses it permanently.

Risk

Proof of Concept

Recommended Mitigation

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

Both `mintNft` and `buy` are `payable` despite the contract being entirely USDC-based. There is no ETH withdrawal function, no refund logic, and no `receive()`/`fallback()` handler that routes ETH anywhere. Any user who accidentally sends ETH with either call loses it permanently.