NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: high

Implementation blocks non-whitelisted holders from listing NFTs, contradicting the documented actor model

Author Revealed upon completion

Root + Impact

escription

Under the documented protocol behavior, a non-whitelisted wallet is not allowed to mint, but it is still allowed to participate in the secondary market. The docs explicitly state that a non-whitelisted user can:

buy
update price
cancel listing
list NFT
collect USDC after selling

That means whitelist status is intended to gate minting, not ownership rights on already-held NFTs.

However, the implementation adds onlyWhitelisted to list(), which prevents a non-whitelisted holder from listing an NFT for secondary sale:

modifier onlyWhitelisted() {

require(whitelistedUsers[msg.sender], "Only whitelisted users can call this function");

}

function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

// @> listing is restricted to whitelisted users

// @> docs state non-whitelisted users should also be able to list

}

Risk

Likelihood:

The issue occurs whenever a non-whitelisted NFT holder attempts to list their NFT on the secondary market.

Impact:

Legitimate NFT holders can be blocked from accessing the documented resale flow.

Proof of Concept

Paste this inside NFTDealersTest.t.sol:

function testNonWhitelistedHolderCannotListContraryToDocs() public revealed {

uint256 tokenId = 1;

uint32 salePrice = 1000e6;

// Mint to a whitelisted user first

mintNFTForTesting();

// Transfer NFT to a non-whitelisted user

vm.prank(userWithCash);

nftDealers.transferFrom(userWithCash, userWithEvenMoreCash, tokenId);

// New holder is not whitelisted

assertFalse(nftDealers.isWhitelisted(userWithEvenMoreCash));

assertEq(nftDealers.ownerOf(tokenId), userWithEvenMoreCash);

// Docs say a non-whitelisted user should be able to list,

// but the implementation reverts because list() is onlyWhitelisted.

vm.prank(userWithEvenMoreCash);

vm.expectRevert("Only whitelisted users can call this function");

nftDealers.list(tokenId, salePrice);

}

Recommended Mitigation

If the documentation is the intended behavior, remove the whitelist restriction from list() and keep whitelist gating only on minting.

-function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

+function list(uint256 _tokenId, uint32 _price) external {

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!