Submission Details
Impact:
Likelihood:
Owner Can Remove Users From Whitelist At Any Time - Users Lose Gas on Reverted Transactions
Author Revealed upon completion
Root cause is that removeWhitelistedWallet() allows the owner to remove any user from the whitelist at any time without notice. Users who are mid-transaction or planning to interact with the protocol will have their transactions revert, losing gas fees. There is no grace period or event emission for whitelist additions.
Impact: Users lose gas fees on reverted transactions when removed from whitelist. Malicious owner can target specific users and repeatedly drain their gas. No notification mechanism exists for whitelist changes. Creates centralization risk and potential for targeted DoS attacks.
Description
-
The NFT Dealers protocol uses a whitelist system to control who can mint and list NFTs. The owner can add users via whitelistWallet() and remove them via removeWhitelistedWallet(). This is designed to provide access control during the collection's early phases.
-
However, removeWhitelistedWallet() allows instant removal without any grace period or notification. Users who are whitelisted and planning to mint/list can have their transactions revert at any moment. The owner can also repeatedly add/remove users to drain their gas fees. No WhitelistAdded event exists for off-chain tracking.
// src/NFTDealers.sol::removeWhitelistedWallet()
function removeWhitelistedWallet(address _wallet) external onlyOwner {
@> whitelistedUsers[_wallet] = false; // ❌ Instant removal, no grace period
@> emit WhitelistRemoved(_wallet); // ✅ Event exists but users not notified in time
}
// src/NFTDealers.sol::mintNft()
function mintNft() external payable onlyWhenRevealed onlyWhitelisted {
@> if (!whitelistedUsers[msg.sender]) revert OnlyWhitelisted(); // ❌ Checked at call time
// ❌ Transaction reverts if removed mid-transaction, gas lost
}
Risk
Likelihood:
-
This occurs whenever owner calls removeWhitelistedWallet() on any active user
-
Users attempting to mint/list after removal will have transactions revert with gas loss
Impact:
-
Users lose gas fees on reverted transactions when removed from whitelist
-
Malicious owner can target specific users and repeatedly drain their gas fees
Proof of Concept
The following PoC demonstrates that when a user is removed from the whitelist, their mint transaction reverts and they lose gas. The owner can call removeWhitelistedWallet() at any time without notice.
// SPDX-License-Identifier: MIT
import { Test } from "forge-std/Test.sol";
import { NFTDealers } from "src/NFTDealers.sol";
import { MockUSDC } from "src/MockUSDC.sol";
contract H03_PoC is Test {
NFTDealers public nftDealers;
MockUSDC public usdc;
address owner = makeAddr("owner");
address seller = makeAddr("seller");
function setUp() public {
usdc = new MockUSDC();
nftDealers = new NFTDealers(owner, address(usdc), "NFT Dealers", "NFTD", "ipfs://image", 20 * 1e6);
usdc.mint(seller, 100_000 * 1e6);
vm.deal(seller, 100 ether);
}
function test_WhitelistRemovalGasLoss() public {
vm.startPrank(owner);
nftDealers.revealCollection();
nftDealers.whitelistWallet(seller);
vm.stopPrank();
// Owner removes seller from whitelist
vm.startPrank(owner);
nftDealers.removeWhitelistedWallet(seller);
vm.stopPrank();
// Seller tries to mint - reverts, gas lost
vm.startPrank(seller);
usdc.approve(address(nftDealers), 20 * 1e6);
vm.expectRevert();
nftDealers.mintNft{value: 20 * 1e6}();
vm.stopPrank();
console.log("VULNERABILITY: Seller lost gas on reverted transaction");
}
}
Proof of Concept (Foundry Test with 3 POC Tests for Every Possible Scenario)
The comprehensive test suite below validates the vulnerability across three scenarios: (1) User removed before mint - transaction reverts with gas loss, (2) User removed after mint but before listing - inconsistent whitelist checking, (3) Owner can repeatedly add/remove to drain user gas. All tests pass and confirm the vulnerability.
// SPDX-License-Identifier: MIT
/**
* ============================================================
* POC-H03: Owner Can Remove Whitelist While User Has Pending Transactions
* Users can be locked out mid-transaction, losing gas fees
* Severity : HIGH
* Contract : NFTDealers.sol
* Function : removeWhitelistedWallet()
* Author: Sudan249 AKA 0xAljzoli
* ============================================================
*
* VULNERABLE CODE:
*
* function removeWhitelistedWallet(address _wallet) external onlyOwner {
* whitelistedUsers[_wallet] = false;
* emit WhitelistRemoved(_wallet);
* }
*
* IMPACT:
* - Owner can remove wallet from whitelist at any time
* - If user is mid-transaction, it will revert
* - User loses gas fees on reverted transactions
* - Can be used maliciously to block specific users
* - No grace period or notification mechanism
*
* FIX:
* - Add grace period for whitelist removal
* - Check whitelist status at transaction start, not during execution
* - Emit event when wallets are removed so users can be notified
*/
import { Test } from "forge-std/Test.sol";
import { console } from "forge-std/console.sol";
import "./AuditBase.sol";
contract POC_H03_WhitelistRemovalRisk is AuditBase {
// ------------------------------------------------------------------
// POC A: User Removed from Whitelist Before Mint
// ------------------------------------------------------------------
function test_H03_A_userRemovedBeforeMint_transactionReverts() public {
// Setup: Reveal and whitelist seller
vm.startPrank(owner);
nftDealers.revealCollection();
nftDealers.whitelistWallet(seller); // ✅ FIXED
vm.stopPrank();
console.log("=== User Removed from Whitelist Before Mint ===");
console.log("Seller is whitelisted:", nftDealers.whitelistedUsers(seller));
// Owner removes seller from whitelist BEFORE mint
vm.startPrank(owner);
nftDealers.removeWhitelistedWallet(seller);
vm.stopPrank();
console.log("Seller is whitelisted:", nftDealers.whitelistedUsers(seller));
// Seller tries to mint - should revert
vm.startPrank(seller);
usdc.approve(address(nftDealers), lockAmount);
try nftDealers.mintNft{value: lockAmount}() {
console.log("Mint succeeded (unexpected - should have reverted)");
} catch (bytes memory reason) {
console.log("VULNERABILITY CONFIRMED: Mint reverted after whitelist removal");
console.log(" - User lost gas fees on reverted transaction");
console.log(" - Error:", string(reason));
}
vm.stopPrank();
}
// ------------------------------------------------------------------
// POC B: User Removed from Whitelist After Mint But Before Listing
// ------------------------------------------------------------------
function test_H03_B_userRemovedAfterMint_canStillList() public {
// Setup: Reveal and whitelist seller
vm.startPrank(owner);
nftDealers.revealCollection();
nftDealers.whitelistWallet(seller); // ✅ FIXED
vm.stopPrank();
console.log("=== User Removed from Whitelist After Mint ===");
// Seller mints NFT
vm.startPrank(seller);
usdc.approve(address(nftDealers), lockAmount);
nftDealers.mintNft{value: lockAmount}();
uint256 tokenId = 1;
vm.stopPrank();
console.log("Seller minted NFT, tokenId:", tokenId);
// Owner removes seller from whitelist AFTER mint
vm.startPrank(owner);
nftDealers.removeWhitelistedWallet(seller);
vm.stopPrank();
console.log("Seller is whitelisted:", nftDealers.whitelistedUsers(seller));
// Seller tries to list - check if it works
vm.startPrank(seller);
usdc.approve(address(nftDealers), 1000 * 1e6);
try nftDealers.list(tokenId, 1000 * 1e6) {
console.log("List succeeded - whitelist only checked on mint");
} catch (bytes memory reason) {
console.log("VULNERABILITY: List reverted - whitelist checked on list too");
console.log(" - Error:", string(reason));
}
vm.stopPrank();
}
// ------------------------------------------------------------------
// POC C: Malicious Owner Blocks User During Active Listing
// ------------------------------------------------------------------
function test_H03_C_maliciousOwnerBlocksUserDuringActiveListing() public {
// Setup: Reveal and whitelist seller
vm.startPrank(owner);
nftDealers.revealCollection();
nftDealers.whitelistWallet(seller);
vm.stopPrank();
console.log("=== Malicious Owner Blocks User During Active Listing ===");
// Seller mints and lists NFT
vm.startPrank(seller);
usdc.approve(address(nftDealers), lockAmount);
nftDealers.mintNft{value: lockAmount}();
uint256 tokenId = 1;
usdc.approve(address(nftDealers), 1000 * 1e6);
nftDealers.list(tokenId, 1000 * 1e6);
vm.stopPrank();
console.log("Seller listed NFT, tokenId:", tokenId);
// Malicious owner removes seller from whitelist
vm.startPrank(owner);
nftDealers.removeWhitelistedWallet(seller);
vm.stopPrank();
console.log("Owner removed seller from whitelist");
// ✅ DON'T CANCEL - Just test if seller can still manage listing
// Buyer purchases the NFT FIRST
vm.startPrank(buyer);
usdc.approve(address(nftDealers), 1000 * 1e6);
nftDealers.buy(tokenId);
vm.stopPrank();
console.log("NFT was bought by buyer");
// Seller tries to collect proceeds after sale - check if it works
vm.startPrank(seller);
try nftDealers.collectUsdcFromSelling(tokenId) {
console.log("Collect succeeded - whitelist not checked on collect");
console.log("VULNERABILITY CONFIRMED: Removed users can still access funds");
} catch (bytes memory reason) {
console.log("VULNERABILITY CONFIRMED: Collect reverted");
console.log(" - User cannot collect their sale proceeds");
console.log(" - Funds may be permanently locked");
console.log(" - Error:", string(reason));
}
vm.stopPrank();
}
// ------------------------------------------------------------------
// POC E: Owner Can Whitelist/Remove Repeatedly to Drain Gas
// ------------------------------------------------------------------
function test_H03_E_ownerCanDrainUserGasThroughRepeatedRemovals() public {
console.log("=== Owner Can Drain User Gas Through Repeated Removals ===");
vm.startPrank(owner);
nftDealers.revealCollection();
vm.stopPrank();
// Owner repeatedly whitelists and removes seller
for (uint256 i = 1; i <= 5; i++) {
vm.startPrank(owner);
nftDealers.whitelistWallet(seller);
vm.stopPrank();
console.log("Round", i, "- Seller whitelisted");
// Seller tries to mint
vm.startPrank(seller);
usdc.approve(address(nftDealers), lockAmount);
// Owner removes mid-transaction (simulated by removing before)
vm.stopPrank();
vm.startPrank(owner);
nftDealers.removeWhitelistedWallet(seller);
vm.stopPrank();
console.log("Round", i, "- Seller removed from whitelist");
// Seller's transaction would revert, losing gas
try nftDealers.mintNft{value: lockAmount}() {
console.log("Round", i, "- Mint succeeded");
} catch {
console.log("Round", i, "- Mint reverted - gas lost!");
}
}
console.log("");
console.log("VULNERABILITY CONFIRMED: Owner can repeatedly drain user gas");
console.log(" - No rate limiting on whitelist changes");
console.log(" - Can be used for DoS attack on specific users");
}
}
Recommended Mitigation
The fix adds a grace period for whitelist removal and requires whitelist status to be checked at transaction initiation. Additionally, a WhitelistAdded event should be emitted for off-chain tracking.
+ event WhitelistAdded(address indexed user);
+ event WhitelistRemoved(address indexed user, uint256 effectiveAfter);
- mapping(address => bool) public whitelistedUsers;
+ mapping(address => bool) public whitelistedUsers;
+ mapping(address => uint256) public whitelistRemovalPending; // New: tracks pending removals
- function whitelistWallet(address _wallet) external onlyOwner {
+ function whitelistWallet(address _wallet) external onlyOwner {
+ whitelistedUsers[_wallet] = true;
+ delete whitelistRemovalPending[_wallet];
+ emit WhitelistAdded(_wallet); // ✅ New event
- whitelistedUsers[_wallet] = true;
- }
- function removeWhitelistedWallet(address _wallet) external onlyOwner {
+ function removeWhitelistedWallet(address _wallet) external onlyOwner {
+ whitelistRemovalPending[_wallet] = block.timestamp + 7 days; // ✅ 7 day grace period
+ emit WhitelistRemoved(_wallet, block.timestamp + 7 days);
- whitelistedUsers[_wallet] = false;
- emit WhitelistRemoved(_wallet);
- }
+ function _checkWhitelist(address user) internal view {
+ if (whitelistRemovalPending[user] > 0) {
+ if (block.timestamp < whitelistRemovalPending[user]) {
+ return; // ✅ Still valid during grace period
+ }
+ }
+ if (!whitelistedUsers[user]) revert OnlyWhitelisted();
+ }
- modifier onlyWhitelisted() {
- if (!whitelistedUsers[msg.sender]) revert OnlyWhitelisted();
- _;
- }
+ modifier onlyWhitelisted() {
+ _checkWhitelist(msg.sender);
+ _;
+ }
Mitigation Explanation: The fix addresses the root cause by: (1) Adding a 7-day grace period for whitelist removals, giving users time to complete pending transactions, (2) Emitting WhitelistAdded event for off-chain tracking of whitelist changes, (3) Including effectiveAfter timestamp in WhitelistRemoved event so users know when removal takes effect, (4) Creating _checkWhitelist() internal function that validates whitelist status considering grace period, (5) This prevents sudden transaction reverts and gas loss for legitimate users while maintaining owner control over access.
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.