When a user unlocks his protectedListing using unlockProtectedListing(), it deletes the _protectedListings mapping. The problem is this _protectedListings mapping is used in Locker.sol to check if tokenId is protected or not, and if protected it doesn't allow any user to withdraw that token.
function unlockProtectedListing(address _collection, uint _tokenId, bool _withdraw) public lockerNotPaused {
//
// Delete the listing objects
> delete _protectedListings[_collection][_tokenId];
//
}
Suppose a user unlock his protectedLisitngs to withdraw his tokenId later, now the _protectedListings mapping is deleted, which means any user can withdraw that tokenId from Locker.sol. As result, when user will try calling withdrawProtectedListing(), it will revert.
function withdrawProtectedListing(address _collection, uint _tokenId) public lockerNotPaused {
//
// Transfer the asset to the user
> locker.withdrawToken(_collection, _tokenId, msg.sender);
emit ListingAssetWithdraw(_collection, _tokenId);
}
Muscular Pebble Walrus
Medium
withdrawProtectedListing()
can be DoSSummary
withdrawProtectedListing()
can be DoSVulnerability Detail
When a user unlocks his protectedListing using
unlockProtectedListing()
, it deletes the_protectedListings
mapping. The problem is this_protectedListings
mapping is used in Locker.sol to check if tokenId is protected or not, and if protected it doesn't allow any user to withdraw that token.Suppose a user unlock his protectedLisitngs to withdraw his tokenId later, now the _protectedListings mapping is deleted, which means any user can withdraw that tokenId from Locker.sol. As result, when user will try calling
withdrawProtectedListing()
, it will revert.Impact
User will lose his NFT
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L314 https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L341C4-L352C6
Tool used
Manual Review
Recommendation
Don't delete the mapping until user withdraws his NFT using withdrawProtectedListing()