search

sherlock-audit / 2024-08-flayer-judging

0 stars 0 forks source link

Muscular Pebble Walrus - `withdrawProtectedListing()` can be DoS #717

Open sherlock-admin2 opened 4 days ago

sherlock-admin2 commented 4 days ago

Muscular Pebble Walrus

Medium

withdrawProtectedListing() can be DoS

Summary

withdrawProtectedListing() can be DoS

Vulnerability Detail

When a user unlocks his protectedListing using unlockProtectedListing(), it deletes the _protectedListings mapping. The problem is this _protectedListings mapping is used in Locker.sol to check if tokenId is protected or not, and if protected it doesn't allow any user to withdraw that token.

 function unlockProtectedListing(address _collection, uint _tokenId, bool _withdraw) public lockerNotPaused {
//
        // Delete the listing objects
>       delete _protectedListings[_collection][_tokenId];
//
    }

Suppose a user unlock his protectedLisitngs to withdraw his tokenId later, now the _protectedListings mapping is deleted, which means any user can withdraw that tokenId from Locker.sol. As result, when user will try calling withdrawProtectedListing(), it will revert.

 function withdrawProtectedListing(address _collection, uint _tokenId) public lockerNotPaused {
//
        // Transfer the asset to the user
>       locker.withdrawToken(_collection, _tokenId, msg.sender);
        emit ListingAssetWithdraw(_collection, _tokenId);
    }

Impact

User will lose his NFT

Code Snippet

https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L314 https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L341C4-L352C6

Tool used

Manual Review

Recommendation

Don't delete the mapping until user withdraws his NFT using withdrawProtectedListing()