`list()` requires `onlyWhitelisted` — non-whitelisted buyers cannot resell
Root + Impact
Description
buy()has no whitelist check — anyone can purchase. Butlist()requiresonlyWhitelisted. Non-whitelisted buyers receive the NFT but cannot resell through the marketplace.
Risk
Likelihood:
Any non-whitelisted buyer who purchases an NFT discovers they cannot resell it
Impact:
Buyer's NFT is illiquid within the protocol. Contradicts the 3-actor model where non-whitelisted users participate in secondary sales
Proof of Concept
Bob (non-whitelisted) calls buy(1) successfully — no whitelist check. Bob then calls list(1, 50e6) and it reverts with "Only whitelisted users can call this function." Bob's NFT is stuck.
Recommended Mitigation
Remove the whitelist requirement from list() so any NFT owner can resell, or add a separate check that allows both whitelisted users and current NFT holders to list.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.