Submission Details
Severity:
Missing Token ID in NftClaimed Event
Summary
The function claimNft emits the event NftClaimed(nftAddress); but does not include the token ID of the NFT being claimed. This results in incomplete logging, making it difficult to track which specific NFT was claimed.
Vulnerability Details
function claimNft(address nftAddress) external {
if(nftAddress == address(0)) {
revert TokenDivider__NftAddressIsZero();
}
ERC20Info storage tokenInfo = nftToErc20Info[nftAddress];
if(balances[msg.sender][tokenInfo.erc20Address] < erc20ToMintedAmount[tokenInfo.erc20Address]) {
revert TokenDivider__NotEnoughErc20Balance();
}
ERC20ToGenerateNftFraccion(tokenInfo.erc20Address).burnFrom(msg.sender, erc20ToMintedAmount[tokenInfo.erc20Address]);
balances[msg.sender][tokenInfo.erc20Address] = 0;
erc20ToMintedAmount[tokenInfo.erc20Address] = 0;
emit NftClaimed(nftAddress); <== @audit token Id missing
IERC721(nftAddress).safeTransferFrom(address(this), msg.sender, tokenInfo.tokenId);
}
Users cannot determine which NFT was claimed when monitoring blockchain events.
Indexers and off-chain tools cannot properly track claims.
Impact
NFT transfers typically log tokenId to track ownership changes.
Tools Used
manual review
Recommendations
Modify the event definition to include tokenId:
event NftClaimed(address indexed nftAddress, uint256 indexed tokenId);
And update the function:
emit NftClaimed(nftAddress, tokenInfo.tokenId);
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.