NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

User locked amount permanently locked until NFT is sold

Author Revealed upon completion

No burn mechanism causes minting collateral to be permanently locked if NFT is never sold

Description

`NFTDealers` has no `burnNft()` function. The only way for a minter to recover their `lockAmount` collateral is to sell the NFT via `collectUsdcFromSelling()`. If a whitelisted user mints an NFT and never lists or sells it, their collateral is permanently locked in the contract with no recovery path.

Risk

Any user who mints an NFT but decides not to sell it — or cannot sell it due to market conditions — will permanently lose their `lockAmount` collateral. This is an unexpected financial loss not communicated by the protocol design and may constitute a significant user fund lockup depending on `lockAmount` value.

Likelihood: HIGH

Whitelisted user mintNft and they only can get back their locked usdc only from sold their nft and collect usdc with function collectUsdcFromSelling

Impact: HIGH

If user's nft never sold, they usdc locked permanently

Proof of Concept

lets say user listed they nft but their nft never sold, and user wanna get back their usdc, but there is no way, no burn mechanics etc

usdc.mint(address(userWithCash), 20e6);

uint256 initialBalance = usdc.balanceOf(address(userWithCash));

vm.prank(userWithCash);

nftDealers.mintNft();

uint256 finalBalance = usdc.balanceOf(address(userWithCash));

uint256 listingId = 1; // lets assume tokenId = 1

nftDealers.list(listigId, 200e6);

// lets say user listed they nft but their nft never sold, and user wanna get back their usdc, but there is no way, no burn mechanics etc

Recommended Mitigation

Implement a `burnNft()` function that allows NFT owners to burn their token and recover collateral:

+function burnNft(uint256 _tokenId) external {

+ require(ownerOf(_tokenId) == msg.sender, "Not owner of NFT");

+ require(s_listings[_tokenId].isActive == false, "Cancel listing first");

+ uint256 collateral = collateralForMinting[_tokenId];

+ collateralForMinting[_tokenId] = 0;

+ _burn(_tokenId);

+ usdc.safeTransfer(msg.sender, collateral);

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!