NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Mismatch Between Listing ID and Token ID in NFT Purchase Function

Author Revealed upon completion

Use listing_ID in the buy function, users can buy NFTs that are not what they want

Description

The user should buy the NFTs that have the same ID they enter
In the buy function when users enter the listing_ID they can get a diffrent NFTs not the one they want because we use tokeID in listing

function buy(uint256 _listingId) external payable {

//@> Listing memory listing = s_listings[_listingId];

if (!listing.isActive) revert ListingNotActive(_listingId);

require(listing.seller != msg.sender, "Seller cannot buy their own NFT");

activeListingsCounter--;

bool success = usdc.transferFrom(msg.sender, address(this), listing.price);

require(success, "USDC transfer failed");

_safeTransfer(listing.seller, msg.sender, listing.tokenId, "");

s_listings[_listingId].isActive = false;

emit NFT_Dealers_Sold(msg.sender, listing.price);

}

Risk

Likelihood:

Reason 1: Every time users try to buy an NFT they will face this problem
Reason 2: Easy to trigger because the functions are external and commonly used.

Impact:

Impact 1: Buyer gets NFTs that are not what they pay for
Impact 2: Marketplace counters and metrics become inconsistent, causing UI errors and potential reporting/fraud issues.

Proof of Concept

Scenario Setup:

NFT #101 is listed by its owner using:

list(101, 100 * 1e6); // price in USDC

The listing is stored in s_listings[101].

Buyer Attempts to Purchase:

Buyer calls buy() using a listing ID instead of the token ID:

buy(1); // assumes listing ID = 1

Observed Behavior:

The function looks up s_listings[1] instead of s_listings[101].

This may result in:

Reverting with ListingNotActive(1)

Buying the wrong NFT if tokenId 1 exists

Counters (activeListingsCounter) being decremented incorrectly

Expected Behavior:

buy() should allow purchasing NFT #101 correctly.

Recommended Mitigation

- Listing_ID in buy function

+ Token_ID in teh buy function

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!