NFT Dealers

First Flight #58

Beginner FriendlyFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

[H] Non-whitelisted users cannot list items for sale after purchase; this does not match the business description.

Author Revealed upon completion

Root + Impact

Description

If a non-whitelisted user buys it, they can continue to list it for sale.
The list function enforces a whitelist of users, preventing regular users from performing listings.This causes disruption to normal business operations: non-whitelisted users cannot sell and cannot profit from it.

// Root cause in the codebase with @> marks to highlight the relevant section

@> function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

//...

}

Risk

Likelihood:

The list function has a whitelist restriction; only whitelisted users can list items. Non-whitelisted users cannot list items for sale, and this issue will definitely exist for any non-whitelisted user.

Impact:

If non-whitelisted users buy it, they cannot relist it; to liquidate it they can only delist, which can cause them financial loss.
The business cannot freely conduct multi-level sales among non-whitelisted users; although administrators can manage the whitelist, the business has already lost its purpose.

Proof of Concept

A whitelisted user mints an NFT and lists it for sale
A non-whitelisted user purchases this NFT
The seller confirms the transaction and receives payment
When the whitelisted user attempts to list the item, the operation reverts

function test_Poc_newBuyerCannotlist() public revealed whitelisted{

address newBuyer = makeAddr("newBuyer");

usdc.mint(newBuyer, 200_000e6);

vm.startPrank(userWithCash);

usdc.approve(address(nftDealers), 1000e6);

// userWithCash mint a Nft and list it

nftDealers.mintNft();

uint32 sellPrice = 20e6;

uint256 tokenId_userWithCash = nftDealers.totalMinted();

nftDealers.list(tokenId_userWithCash, sellPrice);

vm.stopPrank();

// newBuyer buy the NFT

vm.startPrank(newBuyer);

usdc.approve(address(nftDealers), 1000e6);

nftDealers.buy(tokenId_userWithCash);

vm.stopPrank();

vm.prank(userWithCash);

nftDealers.collectUsdcFromSelling(tokenId_userWithCash);

// then newBuyer cannot list the NFT, because he is not whitelisted

vm.prank(newBuyer);

vm.expectRevert("Only whitelisted users can call this function");

nftDealers.list(tokenId_userWithCash, sellPrice);

}

Recommended Mitigation

Remove the modifer onlyWhitelisted on listfunction

- function list(uint256 _tokenId, uint32 _price) external onlyWhitelisted {

+ function list(uint256 _tokenId, uint32 _price) external {

Rewards breakdown

nSLOC

253

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!