`NFTDealers::mintNft()` and `NFTDealers::buy()` are marked `payable` with no ETH handling causing permanent ETH loss
NFTDealers::mintNft() and NFTDealers::buy() are marked payable with no ETH handling causing permanent ETH loss
Description
`NFTDealers::mintNft()` and `NFTDealers::buy()` are marked `payable` despite the protocol exclusively using USDC for all payment flows. The `payable` keyword explicitly allows ETH to be sent alongside these calls, unlike non-payable functions which automatically revert on ETH receipt at the compiler level. However, the contract contains no `receive()` `fallback()`, no `withdraw()` function, and no `msg.value` validation, meaning any ETH sent to these functions becomes permanently locked with no recovery path.
Risk
Users who accidentally send ETH alongside their transaction will permanently lose those funds with no recovery path. The contract has no withdraw function for ETH and no way for the owner to recover stuck ETH.
Likelihood: MEDIUM
User can accidentally send ETH to thoose two function
Impact: MEDIUM
No protocol rule is violated but user's ETH will be sent to the contract
Proof of Concept
user can accidentally send ether to the contract, this case just only accident but the user's ETH cant be withdrawn, so permanent loss to the user's ETH
Recommended Mitigation
Remove payable modifier from both functions since ETH payments are not intended:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.