NFT Marketplace Smart Contract Audit Guidelines

NFT Marketplace Smart Contract Audit Guidelines

Table of Contents

Read Time: 5 minutes

Learn to secure your marketplace from notorious hacks out there.

NFTs, this term has been a hype for the last few years. The wide variety of use cases it has is unimaginable. Recording property possessions to games on the scale it can be used on is fascinating. So is the marketplace of NFTs. 

NFT marketplace is a platform which facilitates and makes NFT transfer exchange of ownership easier and has NFT marketplace rules for buying and selling. It is a place where different NFTs are listed for sale, and different buying and bidding mechanisms enhance sellers’ experience. Buyers have a good experience powered by the security of smart contracts.

But think for a moment how crucial it gets for the marketplaces to stay secure and keep themselves and their users from fraud and hacks. Imagine how much loss would result if the marketplace smart contracts were compromised. Even a single vulnerability could lead to the loss of millions of dollars. This is as scary as it sounds. The marketplace needs to be on its toes every time to ensure the security and safety of its users from ever-evolving and advancing web3 security threats. We at QuillAudit understand the need of the hour and bring some vital tips to help secure the NFT marketplace. Let’s look at them one by one.


This section will look at tips and nft marketplace checklists to help your marketplace stay secure in the ever-advancing wave of exploits.

1. Only Owner Functions

These are the functions that only the marketplace has access to. Only the marketplace can execute them, and no other buyer or seller of NFT. These functions are very useful for supervising the smooth working of the platform. But if not implemented properly, it can cost you your marketplace. 

E.g. there should not be a case where fee parameters can be set to 100 so that sellers earn nothing and all the sale amount goes to the owner(marketplace). If this is the case, no users will trust the marketplace, and the marketplace will not grow. There should be a proper check on input parameters for these functions.

2. Automated bots

Automated bots are programmes which execute on their own without much human intervention. These bots can impact NFT sales, inflate prices and participate in limited NFT drops or launches. All these are crucial and can heavily impact the marketplace.

Bots can be mitigated, deterred, blocked and descended, but you must first identify the bot on the platform, which is almost impossible. To save your platform from such attacks, the best way is to contact nft auditors and outsource this to Web3 security companies like QuillAudits, which can help you fix that and advise how to proceed.

3. Payable functions

We must thoroughly test and check payable functions in our marketplace contracts, such as buy() functions. You see, when we have many IF conditions, its contracts are open to vulnerabilities, so we need to ensure we never miss any important checks in such scenarios. For example, there could be conditions in which the function receives ether from the buyer and passes the function but fails to execute some critical operations resulting in either getting stuck in the contract, which is important to note and resolve.

4. Bidding-related checks

Bidding is a crucial function of the marketplace for users. But this functionality can bring in a lot of bugs if not taken care of. Let’s see some important and necessary checks:-

  1. It is very important to ensure that when a new bid is placed, it is always greater than the previous bid for obvious reasons.
  1. Do you transfer the ‘bid placing token’ (e.g. usdc) to the contract (i.e. address(this))? Check the calculations thoroughly.
  1. When the NFT sale is over, how can the winner claim the NFT? Here the NFT should be with the contract itself (i.e. address(this)) so that it can transfer it to the user. And NFT should be sent to the highest bid amount also. Again, here check the calculations.
  1. Whenever a new bid is placed, the previous bidder should be transferred back his bid amount. Sometimes this crucial yet simple functionality is missed, or there are calculation errors. So make sure that you write test cases for this.

5. Some common Checks

In this section, we will cover some of the common checks that developers need to check for marketplace smart contracts, it may be common, but it is not trivial. Some of the nft smart contract vulnerabilities caused by these unchecked conditions may lead to heavy loss; we do not want that. Let’s have a look at them.

  1. Check if there is an oracle used. Can that oracle be manipulated to give out wrong answers?
  1. Re-listing an NFT at a new price without cancelling the previous listing should not be possible on NFT platforms.
  1. Only authorised users should be able to buy the NFT by paying the fee. You should always consider Double-checking the fee deduction calculation.
  1. Check that all external calls are being made from the Marketplace contract. If there are external calls to some untrusted contracts on the chain, consider using Reentrancy Guards for protection.
  1. Check for Front-running possibilities. Someone front-running a transaction should not be able to take advantage of the contract logic to gain NFTs for discounts, pay less fee, etc.
  1. If there is a use of spot price of exchange to determine some fees or buy price, check if it can be manipulated. Is it vulnerable to Flash loan attacks? You should never depend on the spot price of exchange and use an oracle for prices.
  1. Ensure that the URIs of NFTs cannot be changed once set and that the metadata is stored on a decentralised file storage system rather than centralised storage, which can be easily manipulated to avoid Rug Pulls.
  1. Check if the NFT remains listed for sale, even after the user has removed it from the sale on the marketplace. This bug was found in one of the most popular NFT platforms, resulting in owners losing NFTs.
  1. No logic of the NFT marketplace should depend on the approval of NFT to the contract address. It should always use the transferFrom functionality from the seller to itself when creating a new sale. So that when the sale is ended, NFT can be directly transferred to the buyer without depending on the seller’s approval.


There are many NFTs out there worth millions of dollars. Imagine what their worth would reduce to if the NFT marketplaces were compromised. No marketplace would want that. You see, marketplace platforms run with the trust of users. The users should feel protected and secure to use platforms to their fullest potential. 

The abovementioned checks are crucial and help you save your marketplace from attacks. Still, as you know, security always asks for more. There are ever-advancing attacks on valuable protocols, and to stay safe from them, we need regular auditing of our contracts and who better than QuillAudits to do this? With a team of experienced experts, we help you secure your protocols and ensure your complete safety. Check out our website and do get your Web3 project secured!


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


$NUWA failed to rug on BSC and was front-run by the MEV bot 0x286E09932B8D096cbA3423d12965042736b8F850.

The bot made ~$110,000 in profit.

Are you concerned about your enterprise's security in Web 3.0? Look no further!

Let's delve deeper into and learn effective solutions to mitigate them. Our experts have covered unconventional approaches, from Zero- Trust Security Model to Bug Bounty Programmes.


Hey folks👋,

Web3 security is like a game of whack-a-mole, except the moles are hackers who keep popping up no matter how hard you hit them. 🤦‍♀️

But fear not; we've got some tips to keep your crypto safe⬇️⬇️

Unlock the power of Web3 for your enterprise with enhanced security measures!

💪🌐 Our latest blog post delves into the world of Web3-powered enterprises and how to ensure maximum security in this new frontier.🔒

Read part 1 of our series now: 🚀


Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+