Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Event Emission in `trickOrTreat`

abhishekthakur

Summary

Root Cause: Swapped event is emitted during NFT escrow to contract instead of actual user claim

Impact: Off-chain systems could misinterpret NFT ownership and transaction state

Vulnerability Details

In the trick scenario where insufficient ETH is sent, the contract:

Mints the NFT to itself (contract) as escrow
Incorrectly emits a Swapped event showing the user as the recipient
Actually transfers the NFT to user only later in resolveTrick
No event is emitted when the actual transfer to user happens

Here is the current implementation:

// During trickOrTreat when price is doubled:

_mint(address(this), tokenId);

// ... storage updates ...

emit Swapped(msg.sender, _treatName, tokenId); // WRONG! NFT is not with msg.sender yet

// During resolveTrick:

_transfer(address(this), msg.sender, tokenId);

// No event emission! // WRONG! Should emit here

This creates several issues:

Off-chain systems might think user owns NFT before they actually do
No event is emitted when actual ownership transfer happens
Initial event has incorrect ownership information
Makes tracking NFT state more difficult

Impact

Off chain system will report wrong data regarding nft ownership

Tools Used

Manual Review

Recommendations

event TreatEscrowed(address indexed intendedRecipient, string treatName, uint256 tokenId, uint256 paidAmount, uint256 requiredAmount);

event TreatClaimed(address indexed recipient, string treatName, uint256 tokenId);

// In trickOrTreat:

if (msg.value < requiredCost) {

uint256 tokenId = nextTokenId;

_mint(address(this), tokenId);

_setTokenURI(tokenId, treat.metadataURI);

nextTokenId += 1;

pendingNFTs[tokenId] = msg.sender;

pendingNFTsAmountPaid[tokenId] = msg.value;

tokenIdToTreatName[tokenId] = _treatName;

emit TreatEscrowed(msg.sender, _treatName, tokenId, msg.value, requiredCost);

}

// In resolveTrick:

function resolveTrick(uint256 tokenId) public payable nonReentrant {

// ... existing checks ...

_transfer(address(this), msg.sender, tokenId);

emit TreatClaimed(msg.sender, tokenIdToTreatName[tokenId], tokenId);

// ... cleanup ...

}

Updates

Appeal created

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect Swapped event emission

The protocol emits a Swapped event even when the user has not sent enough ETH to complete the transaction.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.