QA Report

[code423n4]

##Low
#Title : User might accidentally sent to market

Explanation : the Market contract preventing user to send eth directly to the contract by adding https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketCore.sol#L36, however by calling withdrawFrom() with set the to parameter to market contract, then the market willingly except eth, since the msg.sender is feth, by adding check with require(to != address(market)) on withdrawFrom(), this can prevent user accidentally send etc to the market contract.

Navigation : https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/FETH.sol#L418

#Title : Signature replay on NFTMarketPrivateSale

Explanation : A seller sign a message when the seller want to approve the buyer to buy the NFT, however there no nonce in place for the digest calculation, therefore in certain condition the buyer might buy the NFT again from the seller.

POC :

1. The seller want to sell NFT id 1 for 1 ETH
2. The seller sign a message to approve the buyer to buy NFT id 1 for 1 ETH
3. The buyer get the NFT
4. The buyer sell the NFT id 1 to the seller 1.2 ETH
5. the seller want to sell the NFT id 1 for 2 ETH
6. Since the signature that was given by the seller in the 2 step is still valid the buyer can buy the NFT id 1 for 1 ETH
7. Buyer get the NFT with the old price.

Navigation : https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketPrivateSale.sol#L162

[HardlyDifficult]

• User might accidentally sent to market: Agree! Thanks for pointing this out. Users often make simple copy paste errors like this. We have added the recommended check.
• Signature replay on NFTMarketPrivateSale: We have added a mapping to track already accepted terms to avoid any issues with signature replay.

[alcueca]

Unadjusted score: 30