Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of User Visibility on Remaining Balance for "Trick" in resolveTrick()

bryanconquer

Summary

In the resolveTrick(), users do not have a clear way to view the remaining ETH balance required to complete a purchase in the "trick" scenario, where they are required to pay double the base cost for the treat. This creates a usability issue, as users may not know how much more ETH they need to send, leading to potential failed transactions and a poor user experience.

Vulnerability Details

A user calls trickOrTreat with insufficient funds during a "trick" (double-price) scenario.

  • The NFT is marked as pending, and the user is required to complete the payment using resolveTrick.

  • The user does not have a straightforward way to determine the remaining balance they owe to complete the transaction.

Impact

Users cannot view the remaining balance required and may send incorrect amounts, resulting in failed transactions and increased gas fees.

Tools Used

manual

Recommendations

Add a public view function, getPendingBalance, to allow users to check the remaining balance required for completing the payment in the "trick" scenario. Here’s an example of how it could be implemented:

function getPendingBalance(uint256 tokenId) public view returns (uint256) {
require(pendingNFTs[tokenId] != address(0), "No pending payment for this tokenId");
string memory treatName = tokenIdToTreatName[tokenId];
uint256 requiredCost = treatList[treatName].cost * 2; // Double price for trick
uint256 amountPaid = pendingNFTsAmountPaid[tokenId];
return requiredCost > amountPaid ? requiredCost - amountPaid : 0;
}
Updates

Appeal created

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.