Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Event Emitted After External Call May Obscure Reentrancy or Failure

arefxv

Description: The EggVault::withdrawEgg function emits an event after making an external call, which could lead to off-chain desynchronization. If the call fails but the event still gets emitted (e.g., due to low-level call not reverting properly or fallback behaviors), indexers like The Graph or any backend that listens to events might assume the transaction succeeded, while it didn’t.

Impact: Incorrect off-chain state or user balance tracking, UI bugs, or even false confirmations to users.

Proof of Concept:

(bool success, ) = msg.sender.call{value: eggValue}("");
require(success, "Transfer failed");
// event emitted after call
emit EggWithdrawn(msg.sender, eggValue);

Recommended Mitigation:

  • emit the event before external call:

function withdrawEgg(uint256 tokenId) public {
require(storedEggs[tokenId], "Egg not in vault");
require(eggDepositors[tokenId] == msg.sender, "Not the original depositor");
storedEggs[tokenId] = false;
delete eggDepositors[tokenId];
+ emit EggWithdrawn(msg.sender, tokenId);
eggNFT.transferFrom(address(this), msg.sender, tokenId);
- emit EggWithdrawn(msg.sender, tokenId);
}

  • use nonReentrant modifier from ReentrancyGuard.sol from "Openzeppelin".

Updates

Lead Judging Commences

m3dython Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Event Emission

Standard practice for clarifying important contract behaviors

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.