Submission Details
Severity:
`withdraw` function does not observe the CEI model
Description:
All functions in the protocol observe the CEI model with the exception of the StarknetAuction::withdraw The call to emit the Withdraw event is made after the transfer (to owner or losing bidder(s)) is called.
self.emit(Withdraw {amount: amount, caller: caller});
Impact:
If the transfer is reverted the event will not be emitted. This is very low impact. However the event information may be useful for troubleshooting or for a user monitoring the contract.
Recommended Mitigation
The Withdraw event in the withdraw method should be called before the transfer methods are called.
fn withdraw(ref self: ContractState) {
assert(self.started.read(), 'Auction is not started');
assert(self.ended.read(), 'Auction is not ended');
let caller = get_caller_address();
let sender = get_contract_address();
let erc20_dispatcher = IERC20Dispatcher { contract_address: self.erc20_token.read() };
let amount = self.bid_values.entry(caller).read();
let amount_owner = self.highest_bid.read();
+ self.emit(Withdraw {amount: amount, caller: caller});
if caller == self.nft_owner.read() {
self.highest_bid.write(0);
erc20_dispatcher.transfer_from(sender, caller, amount_owner.into());
}
if amount > 0 {
let sender = get_contract_address();
erc20_dispatcher.transfer_from(sender, caller, amount.into());
}
- self.emit(Withdraw {amount: amount, caller: caller});
}
Rewards breakdown
nSLOC
132This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.