Starknet Auction

First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Severity: medium
Invalid

Lack of State Updates Before External Calls

Description:

  • Location in Code: The end and withdraw functions.

  • State variables are sometimes updated after making external calls.

  • If the external call fails or is exploited, the state may not reflect the correct status.

Impact:

  • The contract's state may be inconsistent, leading to vulnerabilities or loss of funds.

Proof of Code :

fn end(ref self: ContractState) {
// ...
// External call made before state update
erc721_dispatcher.safe_transfer_from(sender, recipient, self.nft_id.read().into());
self.ended.write(true); // State updated after external call
// ...
}

Recommendation:

  • Update state before external calls.

  • Reorder code to ensure state reflects the intended action before any external interaction.

Corrected Code:

fn end(ref self: ContractState) {
// ...
self.ended.write(true); // State updated before external call
erc721_dispatcher.safe_transfer_from(sender, recipient, self.nft_id.read().into());
// ...
}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.