Root + Impact

Description

• The functions NFTDealers::whitelistWallet() and NFTDealers::removeWhitelistedWallet() do not emit events, which makes it difficult for off-chain systems to track changes to wallet whitelist status.

Risk

Likelihood:

• The owner adds or removes wallets from the whitelist during normal protocol operations, making these functions called regularly throughout the contract lifecycle

Any front-end or off-chain indexer monitoring whitelist changes would need to continuously poll the contract state instead of listening for events, increasing the chance of missing a status change between two consecutive queries

Impact:

• Without WalletWhitelisted and WalletRemovedFromWhitelist events, any off-chain service or user interface that needs to know the current whitelist status of a wallet would have to actively query the whitelistedUsers mapping to get the current value. This is less efficient than simply listening for the corresponding events, and it can lead to delays in detecting changes to the whitelist.

  The impact of this could be significant because the whitelist gates access to core protocol functions such as mintNft and list. If a wallet is added or removed from the whitelist and an off-chain service or user is not aware of the change because they didn't query the contract state at the right time, they could attempt to interact with the protocol without knowing their access has been revoked, or fail to act on a newly granted whitelist spot in time.Proof of Concept

Recommended Mitigation

Add dedicated events for both whitelist operations and emit them accordingly, allowing off-chain services and user interfaces to efficiently track whitelist changes without polling the contract state.