Skip to content

Latest commit

 

History

History
50 lines (31 loc) · 1.6 KB

086.md

File metadata and controls

50 lines (31 loc) · 1.6 KB

Loud Mocha Platypus

High

Buyer doesn't receive NFT that they should get in buyOrder.sellNFT()

Summary

Buyer pre-escrows the potential purchase funds of an NFT during buyOrderFactory.createBuyOrder(). This creates a buyOrder.sol contract for him locally, where an owner of the NFT can potentially accept this buy offer via sellNFT().

When the owner of the NFT accepts the buy offer via sellNFT() the NFT mistakenly gets sent to the buyOrder.sol contract. This contract has no way to send the NFT anywhere, and it should have instead been sent to the buyer of the NFT.

Root Cause

See Summary.

Internal pre-conditions

See Summary.

External pre-conditions

See Summary.

Attack Path

See Summary.

Impact

See Summary.

PoC

None

Mitigation

// https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/buyOrders/buyOrder.sol#L99-#L103
// The `buyInformation.owner` is the user who called `buyOrderFactory.createBuyOrder()` 
// and escrowed their buy tokens in advance. 
// They are the owner of the `buyOrder` contract, and so the NFT should be going to them, because they bought it.
        IERC721(buyInformation.wantedToken).transferFrom(
            msg.sender,
-            address(this),
+           buyInformation.owner,
            receiptID
        );