NFT Marketplace Smart Contract Audit Guidelines

NFT Marketplace Smart Contract Audit Guidelines

NFT Marketplace Smart Contract Audit Guidelines

NFT Marketplace Smart Contract Audit Guidelines

NFT Marketplace Smart Contract Audit Guidelines

Table Of Content
Read Time: 5 minutes

Learn to secure your marketplace from notorious hacks out there.

NFTs, this term has been a hype for the last few years. The wide variety of use cases it has is unimaginable. Recording property possessions to games on the scale it can be used on is fascinating. So is the marketplace of NFTs. 

NFT marketplace is a platform which facilitates and makes NFT transfer exchange of ownership easier and has NFT marketplace rules for buying and selling. It is a place where different NFTs are listed for sale, and different buying and bidding mechanisms enhance sellers’ experience. Buyers have a good experience powered by the security of smart contracts.

But think for a moment how crucial it gets for the marketplaces to stay secure and keep themselves and their users from fraud and hacks. Imagine how much loss would result if the marketplace smart contracts were compromised. Even a single vulnerability could lead to the loss of millions of dollars. This is as scary as it sounds. The marketplace needs to be on its toes every time to ensure the security and safety of its users from ever-evolving and advancing web3 security threats. We at QuillAudit understand the need of the hour and bring some vital tips to help secure the NFT marketplace. Let’s look at them one by one.


This section will look at tips and nft marketplace checklists to help your marketplace stay secure in the ever-advancing wave of exploits.

1. Only Owner Functions

These are the functions that only the marketplace has access to. Only the marketplace can execute them, and no other buyer or seller of NFT. These functions are very useful for supervising the smooth working of the platform. But if not implemented properly, it can cost you your marketplace. 

E.g. there should not be a case where fee parameters can be set to 100 so that sellers earn nothing and all the sale amount goes to the owner(marketplace). If this is the case, no users will trust the marketplace, and the marketplace will not grow. There should be a proper check on input parameters for these functions.

2. Automated bots

Automated bots are programmes which execute on their own without much human intervention. These bots can impact NFT sales, inflate prices and participate in limited NFT drops or launches. All these are crucial and can heavily impact the marketplace.

Bots can be mitigated, deterred, blocked and descended, but you must first identify the bot on the platform, which is almost impossible. To save your platform from such attacks, the best way is to contact nft auditors and outsource this to Web3 security companies like QuillAudits, which can help you fix that and advise how to proceed.

3. Payable functions

We must thoroughly test and check payable functions in our marketplace contracts, such as buy() functions. You see, when we have many IF conditions, its contracts are open to vulnerabilities, so we need to ensure we never miss any important checks in such scenarios. For example, there could be conditions in which the function receives ether from the buyer and passes the function but fails to execute some critical operations resulting in either getting stuck in the contract, which is important to note and resolve.

4. Bidding-related checks

Bidding is a crucial function of the marketplace for users. But this functionality can bring in a lot of bugs if not taken care of. Let’s see some important and necessary checks:-

  1. It is very important to ensure that when a new bid is placed, it is always greater than the previous bid for obvious reasons.
  1. Do you transfer the ‘bid placing token’ (e.g. usdc) to the contract (i.e. address(this))? Check the calculations thoroughly.
  1. When the NFT sale is over, how can the winner claim the NFT? Here the NFT should be with the contract itself (i.e. address(this)) so that it can transfer it to the user. And NFT should be sent to the highest bid amount also. Again, here check the calculations.
  1. Whenever a new bid is placed, the previous bidder should be transferred back his bid amount. Sometimes this crucial yet simple functionality is missed, or there are calculation errors. So make sure that you write test cases for this.

5. Some common Checks

In this section, we will cover some of the common checks that developers need to check for marketplace smart contracts, it may be common, but it is not trivial. Some of the nft smart contract vulnerabilities caused by these unchecked conditions may lead to heavy loss; we do not want that. Let’s have a look at them.

  1. Check if there is an oracle used. Can that oracle be manipulated to give out wrong answers?
  1. Re-listing an NFT at a new price without cancelling the previous listing should not be possible on NFT platforms.
  1. Only authorised users should be able to buy the NFT by paying the fee. You should always consider Double-checking the fee deduction calculation.
  1. Check that all external calls are being made from the Marketplace contract. If there are external calls to some untrusted contracts on the chain, consider using Reentrancy Guards for protection.
  1. Check for Front-running possibilities. Someone front-running a transaction should not be able to take advantage of the contract logic to gain NFTs for discounts, pay less fee, etc.
  1. If there is a use of spot price of exchange to determine some fees or buy price, check if it can be manipulated. Is it vulnerable to Flash loan attacks? You should never depend on the spot price of exchange and use an oracle for prices.
  1. Ensure that the URIs of NFTs cannot be changed once set and that the metadata is stored on a decentralised file storage system rather than centralised storage, which can be easily manipulated to avoid Rug Pulls.
  1. Check if the NFT remains listed for sale, even after the user has removed it from the sale on the marketplace. This bug was found in one of the most popular NFT platforms, resulting in owners losing NFTs.
  1. No logic of the NFT marketplace should depend on the approval of NFT to the contract address. It should always use the transferFrom functionality from the seller to itself when creating a new sale. So that when the sale is ended, NFT can be directly transferred to the buyer without depending on the seller’s approval.


There are many NFTs out there worth millions of dollars. Imagine what their worth would reduce to if the NFT marketplaces were compromised. No marketplace would want that. You see, marketplace platforms run with the trust of users. The users should feel protected and secure to use platforms to their fullest potential. 

The abovementioned checks are crucial and help you save your marketplace from attacks. Still, as you know, security always asks for more. There are ever-advancing attacks on valuable protocols, and to stay safe from them, we need regular auditing of our contracts and who better than QuillAudits to do this? With a team of experienced experts, we help you secure your protocols and ensure your complete safety. Check out our website and do get your Web3 project secured!


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+