NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: high

Non-Whitelisted Users Can't List NFTs

Author Revealed upon completion

only whitelisted users can list their NFTs, users tha are not whitelisted can't sell their NFTs

Description

Both of whitelisted/non-withelisted users should be able to list their NFTs, This is the normal and in the actors role they said that the non-whitelisted users still be able to list their NFTs
Their is a modifier on the list function that allow only the whitlisted users to list their NFTs so other users can't list their NFTs because of the onlyWhitelisted

//@> function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

require(_price >= MIN_PRICE, "Price must be at least 1 USDC");

require(ownerOf(_tokenId) == msg.sender, "Not owner of NFT");

require(s_listings[_tokenId].isActive == false, "NFT is already listed");

require(_price > 0, "Price must be greater than 0");

listingsCounter++;

activeListingsCounter++;

s_listings[_tokenId] =

Listing({seller: msg.sender, price: _price, nft: address(this), tokenId: _tokenId, isActive: true});

emit NFT_Dealers_Listed(msg.sender, listingsCounter);

}

Risk

Likelihood:

Reason 1 It affects every non-whitelisted user: Any NFT owner who is not whitelisted will immediately encounter the issue when trying to list their NFT.
Reason 2 The function is external, so any user can attempt to call list(), and the restriction blocks them every time.

Impact:

Impact 1: Reduces marketplace participation and revenue potential.
Impact 2: Could confuse users and harm project reputation.

Proof of Concept

Scenario Setup:

User Alice owns an NFT with tokenId = 1.

Alice is NOT whitelisted.

Action:

Alice tries to list her NFT:

list(1, 100 * 1e6); // 100 USDC

Observed Behavior:

The transaction reverts due to the onlyWhitelisted modifier.

Alice cannot list her NFT even though she is the rightful owner.

Code Causing the Issue:

function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

Expected Behavior:

Alice (as the NFT owner) should be able to list her NFT regardless of whitelist status.

Recommended Mitigation

remove the whitelist reauire to allow other users to list their NFTs

- OnlyWhitelis

+ any user

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!