Submission Details
Impact:
Likelihood:
H-3: Reentrancy in `cancelListing()` — USDC Transferred Before State Reset
Author Revealed upon completion
Description:
In cancelListing(), usdc.safeTransfer is called while collateralForMinting[listing.tokenId] still holds the collateral amount. An attacker with a malicious USDC token (or in a scenario where USDC supports transfer hooks) can re-enter cancelListing() and withdraw the collateral multiple times.
function cancelListing(uint256 _listingId) external {
...
s_listings[_listingId].isActive = false; // ← isActive updated
activeListingsCounter--;
usdc.safeTransfer(listing.seller, collateralForMinting[listing.tokenId]); // ← external call
collateralForMinting[listing.tokenId] = 0; // ← but collateral not cleared yet
...
}
Impact: A seller can recover their collateral multiple times, draining USDC from the contract.
Recommended Mitigation:
function cancelListing(uint256 _listingId) external {
Listing memory listing = s_listings[_listingId];
if (!listing.isActive) revert ListingNotActive(_listingId);
require(listing.seller == msg.sender, "Only seller can cancel listing");
// Effects first
s_listings[_listingId].isActive = false;
activeListingsCounter--;
uint256 collateral = collateralForMinting[listing.tokenId];
collateralForMinting[listing.tokenId] = 0;
// Interactions last
usdc.safeTransfer(listing.seller, collateral);
emit NFT_Dealers_ListingCanceled(_listingId);
}
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.