No Tracking of ERC20 Balances When Users Transfer Tokens
Summary
In the mint function in the RAACNFT.sol The contract accepts ERC20 tokens but does not record user balances. If a withdrawal or refund function is implemented in the future, there will be no way to determine how much each user has deposited.
Attack Scenario:
User sends 100 tokens to the contract.
The contract does not record the deposit, making refunds or future withdrawals impossible.
Users cannot reclaim their funds because the contract does not track their deposits.
Proof of Concept (PoC)
Scenario: User Transfers ERC20 Tokens, but Contract Fails to Track
mint(1, 100); // User transfers 100 ERC20 tokens
mint(2, 200); // Another user transfers 200 ERC20 tokens
// userBalances[msg.sender] is NOT updated, so contract has no idea who owns what.
If a withdrawal feature is added later, users won't be able to withdraw anything because the contract has no record of their deposits.
Vulnerability Details
Impact
users won't be able to withdraw anything because the contract has no record of their deposits.
Tools Used
manual review
Recommendations
Add a mapping to track user balances:
Then update the balance when users transfer tokens:
And subtract the amount when they withdraw or get a refund:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.