Skip to content

Fix minor code review issues in NFTStorefrontV2#113

Open
joshuahannan wants to merge 5 commits intomainfrom
josh/report-fixes
Open

Fix minor code review issues in NFTStorefrontV2#113
joshuahannan wants to merge 5 commits intomainfrom
josh/report-fixes

Conversation

@joshuahannan
Copy link
Member

@joshuahannan joshuahannan commented Mar 24, 2026
edited
Loading

Summary

Addresses issues identified in a security and code quality review of NFTStorefrontV2.cdc.

  • Bug fix (Issue 2): borrowNFT() — replace borrow()! force-unwrap with if-let so a revoked provider capability returns nil instead of panicking, honoring the documented return contract
  • Bug fix (Issue 4): Listing.init — replace silent nft! force-unwrap of borrowNFT result with ?? panic(...) for a descriptive error when the NFT ID is absent from the collection
  • Security (Issue 6): purchase() — assert commissionReceiver.check() before the allowlist loop so a revoked capability fails with a clear message rather than a confusing borrow() panic
  • Correctness (Issue 9): getDuplicateListingIDs — replace manual index loop with firstIndex(of:); mark getExistingListingIDs as view in interface, implementation, and MaliciousStorefrontV2
  • Style (Issue 10): createListing — eliminate allowedCommissionReceivers!.append() force-unwrap anti-pattern by building a local array directly
  • Style (Issue 11): createListing — replace self.owner?.address! optional-chain-then-force-unwrap with self.owner!.address
  • Style (Issue 12): cleanupExpiredListings — simplify index + UInt64(1) to index + 1
  • Docs (Issue 13): Add missing doc comment to setCustomID
  • Docs (Issue 14): Add missing doc comments to burnCallback and ResourceDestroyed

Test plan

  • make test passes (all 17 Cadence tests + Go tests green)
  • make ci passes

🤖 Generated with Claude Code

joshuahannan and others added 3 commits March 24, 2026 11:09
@joshuahannan @claude
fix report issues 2, 4, 6, 9, 10, 11, 12, 13, 14 in NFTStorefrontV2
01e86b1 
- Issue 2: borrowNFT() — replace force-unwrap on provider borrow() with
  if-let so a revoked capability returns nil instead of panicking
- Issue 4: Listing.init — replace nft! force-unwrap of borrowNFT result
  with ?? panic(...) for a descriptive error when the NFT is absent
- Issue 6: purchase() — assert commissionReceiver.check() before the
  allowlist loop so a revoked capability fails with a clear message
- Issue 9: getDuplicateListingIDs / getExistingListingIDs — replace
  manual index loop with firstIndex(of:); mark getExistingListingIDs
  view in interface and implementation; update MaliciousStorefrontV2
  to conform
- Issue 10: createListing — remove force-unwrap anti-pattern on
  allowedCommissionReceivers, build addresses array directly
- Issue 11: createListing — replace self.owner?.address! with
  self.owner!.address
- Issue 12: cleanupExpiredListings — simplify index + UInt64(1) to
  index + 1
- Issue 13: setCustomID — add missing doc comment
- Issue 14: burnCallback / ResourceDestroyed — add missing doc comments

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@joshuahannan @claude
add REPORT.md to .gitignore
b09d55e 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@joshuahannan @claude
add CLAUDE.md and AGENTS.md for AI assistant guidance
41089ef 
AGENTS.md is a symlink to CLAUDE.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@joshuahannan joshuahannan changed the title Fix code review issues 2, 4, 6, 9, 10, 11, 12, 13, 14 in NFTStorefrontV2 Fix minor code review issues in NFTStorefrontV2 Mar 24, 2026
@joshuahannan @claude
regenerate Go bindata assets and update CLAUDE.md
05e1ced 
Regenerate assets.go to embed the updated NFTStorefrontV2.cdc and
MaliciousStorefrontV2.cdc after the report fix commits.

Update CLAUDE.md to clarify that make ci (not make test) is the
required pre-commit gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@joshuahannan @claude
add clarifying comment on nftProviderCapability field/init type inten…
739aff2 
…tional difference

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kay-Zee Kay-Zee Awaiting requested review from Kay-Zee

@nvdtf nvdtf Awaiting requested review from nvdtf

@j1010001 j1010001 Awaiting requested review from j1010001

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joshuahannan