`buy()` and `mint()` functions doesn't need to be `payable`
Root + Impact
Description
-
The protocol is exchanging NFTs with ERC20 USDC tokens and not with the native blockchain tokens.
-
With
buy()function being payable, this function acceptsmsg.value. There could be innocent users that transfer token value to this function and the amount is lost forever.
Risk
Likelihood:
A user calls buy() or mintNft() with
msg.valueset. In that case, both his value and USDC balance will be deducted and transfer to the protocol smart contract.
Impact:
-
Incorrect behavior and innocent buyers could forever lose the native token balance they transfer when making
buy()call. -
There is also no withdraw() function in the smart contract to withdraw the transferred native balance. So they are forever lost.
Proof of Concept
The user directly transfer native blockchain token when calling buy() function and lose its value forever.
Recommended Mitigation
Remove the payable from the two functions mintNft() and buy(). Of course we can also add a withdraw function for the owner to withdraw native token balance and left the payable intact. But this is not fair to users who carelessly transfer native balance to the contract.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.