📌 Description
The module-level audit note in contracts/commitment_marketplace/src/lib.rs states:
"No cross-contract NFT ownership checks are performed in this implementation". This
means list_nft (line ~370) and start_auction (line ~986) can list a token the
caller does not actually own in the commitment_nft contract, enabling phantom
listings and griefing.
This issue adds on-chain ownership verification against commitment_nft::owner_of.
🎯 Requirements and Context
list_nft, start_auction, and make_offer-on-list must verify the seller owns the token via NFTContract's owner_of/is_active.- Reject phantom listings with
NFTContractError/NFTNotActive.
- Verification must run inside the reentrancy guard.
- No regressions to fee logic or the payment-token allowlist.
🛠️ Suggested Execution
1. Fork the repo and create a branch
git checkout -b security/marketplace-ownership-check
2. Implement changes
- Add a cross-contract ownership helper and call it from
list_nft/start_auction in contracts/commitment_marketplace/src/lib.rs with /// docs.
- Update the audit note in the module docs and
docs/MARKETPLACE_LISTING_LIFECYCLE.md.
3. Test and commit
- Add tests (with an NFT mock) to
contracts/commitment_marketplace/src/tests.rs.
- Run:
cargo test --target wasm32v1-none --release
- Edge cases: list owned token (ok), list unowned token (rejected), list inactive token, auction unowned token.
Example commit message
fix: verify NFT ownership before listing/auctioning in marketplace
✅ Guidelines
- Minimum 95% test coverage on the listing paths.
- Update the audit note to reflect the new check.
- Timeframe: 96 hours.
🏷️ Labels
type-security · area-contracts · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN
💬 Community & Support
- Join the CommitLabs contributor Discord to coordinate and get unblocked fast: https://discord.gg/WV7tdYkJk
- Introduce yourself before starting to avoid duplicate work.
- Maintainers triage actively and review fast.
📌 Description
The module-level audit note in
contracts/commitment_marketplace/src/lib.rsstates:"No cross-contract NFT ownership checks are performed in this implementation". This
means
list_nft(line ~370) andstart_auction(line ~986) can list a token thecaller does not actually own in the
commitment_nftcontract, enabling phantomlistings and griefing.
This issue adds on-chain ownership verification against
commitment_nft::owner_of.🎯 Requirements and Context
list_nft,start_auction, andmake_offer-on-list must verify the seller owns the token viaNFTContract'sowner_of/is_active.NFTContractError/NFTNotActive.🛠️ Suggested Execution
1. Fork the repo and create a branch
2. Implement changes
list_nft/start_auctionincontracts/commitment_marketplace/src/lib.rswith///docs.docs/MARKETPLACE_LISTING_LIFECYCLE.md.3. Test and commit
contracts/commitment_marketplace/src/tests.rs.cargo test --target wasm32v1-none --releaseExample commit message
✅ Guidelines
🏷️ Labels
type-security·area-contracts·MAYBE REWARDED·GRANTFOX OSS·OFFICIAL CAMPAIGN💬 Community & Support