NiftyApes - Seller Financing

Off-Chain (Private)

Audited on 2023/08/10

No active critical issues

Summary

NiftyApes Seller Financing is a protocol that allows sellers to offer financing options to purchase their NFTs. Offers are signed by sellers off-chain for interested buyers to execute on-chain. During a loan, the `NiftyApesSellerFinancing` contract holds the NFT in escrow and delegates it to the buyer through `delegate.cash`. Both the seller and the buyer are given ticket vouchers representing their end of the loan, which they are free to transfer to other addresses. A seller can seize back their NFT if the loan has defaulted, whilst optionally providing a grace period for late payments. The contract includes integration with Seaport, allowing buyers to sell the loaned NFT to Seaport bids that cover the remainder of their loan. The protocol prohibits interactions by addresses on the OFAC sanctions list. Over the course of the audit, we prioritized validating that the NFTs and their loan ticket vouchers maintained proper access control. In addition to standard security practices, we also looked for vulnerabilities surrounding faulty accounting, drifts in NFT delegations, and the potential for locked funds with Seaport integration or sanctioned users. We were able to uncover a few important issues. `delegate.cash` integration for collection offers breaks when the buyer ticket is transferred (NFTY-1). The current Seaport integration results in locked funds for some bids and is unable to complete others (NFTY-2 & NFTY-5). The contract is also missing some access control for prohibiting sanctioned users (NFTY-3 & NFTY-4). The protocol has a strong testing suite and thorough documentation. The NiftyApes team was able to answer all of our questions throughout the course of the audit. **Fix Review:** The NiftyApes team addressed all of the issues found in the audit. Many of the informational severity issues served to highlight the contract's behavior rather than point to security concerns and were addressed by updating the documentation. We encourage users to thoroughly read through the project's documentation before interacting with the contract.

Project

Issues (20)

	Low	Medium	High	Critical	Total
Not fixed	9	-	-	-	9
Fixed	6	1	4	-	11
Total	15	1	4	0	20

#	File Name
1	src/marketplaceIntegration/MarketplaceIntegration.sol
2	src/SellerFinancing.sol

NiftyApes - Seller Financing

Summary

Issues (20)

`withdrawOfferSignature()` Vulnerable to Front-Runningnot_fixed/low

A Buyer May Be Able to Make Free Paymentsnot_fixed/low

Application Monitoring Can Be Improved by Emitting More Eventsnot_fixed/low

Excessive Ether Funds are Refunded to the `buyer` Rather than `msg.sender`not_fixed/low

Expiration Date for Protocol Supportnot_fixed/low

Contracts (2)