report.md

Aderyn Analysis Report

This report was generated by Aderyn, a static analysis tool built by Cyfrin, a blockchain security company. This report is not a substitute for manual audit or security review. It should not be relied upon for any purpose other than to assist in the identification of potential security vulnerabilities.

Table of Contents

• Summary
  • Files Summary
  • Files Details
  • Issue Summary
• High Issues
  • H-1: Arbitrary from passed to transferFrom (or safeTransferFrom)
• Low Issues
  • L-1: Centralization Risk for trusted owners
  • L-2: public functions not used internally could be marked external

Summary

Files Summary

Key	Value
.sol Files	4
Total nSLOC	439

Files Details

Filepath	nSLOC
src/AuctionEndChecker.sol	0
src/FactoryNFTContract.sol	64
src/MarketPlace.sol	265
src/NFTContract.sol	110
Total	439

Issue Summary

Category	No. of Issues
High	1
Low	2

High Issues

H-1: Arbitrary from passed to transferFrom (or safeTransferFrom)

Passing an arbitrary from address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the from address if an approval is made.

1 Found Instances

• Found in src/MarketPlace.sol Line: 163

           IERC721(nftAddress).safeTransferFrom(seller, msg.sender, tokenId);

Low Issues

L-1: Centralization Risk for trusted owners

Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.

10 Found Instances

• Found in src/FactoryNFTContract.sol Line: 16

   contract FactoryNFTContract is Ownable, ReentrancyGuard {

• Found in src/FactoryNFTContract.sol Line: 95

       function setFee(uint256 _fee) external onlyOwner {

• Found in src/FactoryNFTContract.sol Line: 99

       function withdraw(address payable recipient, uint256 amount) external onlyOwner {

• Found in src/MarketPlace.sol Line: 10

   contract MarketPlace is Ownable, ReentrancyGuard, IERC721Receiver {

• Found in src/MarketPlace.sol Line: 262

       function setDedicatedMsgSender(address _newDedicatedMsgSender) external onlyOwner {

• Found in src/MarketPlace.sol Line: 271

       function setFee(uint256 _fee) external onlyOwner {

• Found in src/MarketPlace.sol Line: 276

       function withdraw(address payable recipient, uint256 amount) external onlyOwner {

• Found in src/NFTContract.sol Line: 21

   contract NFTContract is ERC721, ERC2981, ERC721Enumerable, ERC721URIStorage, Ownable, ReentrancyGuard {

• Found in src/NFTContract.sol Line: 119

       function updateRoyaltyInfo(address contractOwner, uint96 newRoyaltyPercentage) external onlyOwner {

• Found in src/NFTContract.sol Line: 134

       function setBaseURI(string memory baseURI) external onlyOwner {

L-2: public functions not used internally could be marked external

Instead of marking a function as public, consider marking it as external if it is not used internally.

2 Found Instances

• Found in src/NFTContract.sol Line: 215

       function tokenURI(uint256 tokenId) public view override(ERC721, ERC721URIStorage) returns (string memory) {

• Found in src/NFTContract.sol Line: 225

       function supportsInterface(