`NFTDealers::updatePrice()` missing `MIN_PRICE` check allows seller to bypass minimum price enforcement
NFTDealers::updatePrice() missing MIN_PRICE check allows seller to bypass minimum price enforcement
Description
`NFTDealers::updatePrice()` only validates that `_newPrice > 0`, while `NFTDealers::list()` enforces `_price >= MIN_PRICE` (1 USDC). This inconsistency allows a seller to first create a valid listing meeting the minimum price requirement, then immediately update the price to any value above zero — effectively bypassing the `MIN_PRICE` invariant entirely.
Risk
Sellers can list NFTs at 1 wei USDC after initial listing, effectively gifting NFTs or manipulating the marketplace below the protocol's intended minimum price floor.
Likelihood: HIGH
Whitelisted address miint first, and listing, then updatePrice to below MIN_PRICE
Impact: HIGH
Violating protocol rules that MIN_PRICE must be minimal 1e6
Proof of Concept
1. Seller calls `NFTDealers::list(tokenId, 1e6)` — passes `MIN_PRICE` check
2. Seller immediately calls `NFTDealers::updatePrice(listingId, 1)` — sets price to 1 wei
3. Buyer calls `NFTDealers::buy()` — purchases NFT for 1 wei USDC
Recommended Mitigation
Apply the same `MIN_PRICE` validation in `NFTDealers::updatePrice()`:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.