NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: high

Only whitelisted users can list NFTs, contrary to README

Author Revealed upon completion

Only whitelisted users can list NFTs, contrary to README

Description

According to the README:

Actors:

Owner

deploy the smart contract and set parameters (collateral, collection name, image, symbol, etc.)
whitelist or remove from whitelist wallets
reveal the protocol
withdraw fees

Whitelisted user/wallet

mint NFT
buy, update price, cancel listing, list NFT
collect USDC after selling

Non whitelisted user/wallet

cannot mint
buy, update price, cancel listing, list NFT
collect USDC after selling

However, in the code:

// Root cause in the codebase with @> marks to highlight the relevant section

function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted { ... }

So only whitelisted users can list NFTs.

Risk

Impact:

Code and docs are inconsistent

Recommended Mitigation

Open up the listfunction to all users.

- function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted { ... }

+ function list(uint256 _tokenId, uint32 _price) external { ... }

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!