Submission Details
Impact:
Likelihood:
No event emission upon withdrawl of funds by the owner to the organizer address
Root + Impact
Description
-
The owner withdraws the collected funds for the event to the target address i.e. organizer
-
There is no event emission upon withdraw
// Root cause in the codebase with @> marks to highlight the relevant section
// Organizer withdraws ETH
@> function withdraw(address target) external onlyOwner {
payable(target).transfer(address(this).balance);
}
Risk
Likelihood:
This will occur when the withdraw function is called by the owner
Impact:
This cannot be recorded by on chain or block explorer and we are unable to know how much amount is withdrawn.
Proof of Concept
// There is no POC as there is no event emission
Recommended Mitigation
Event emission added with the owner added in parameters and also added check that organizer should be the target address.
event FundsWithdrawn(address indexed by, address indexed to, uint256 amount);
// Organizer withdraws ETH
function withdraw(address target) external onlyOwner {
- payable(target).transfer(address(this).balance);
+ require(target == organizer, "Target must be the organizer");
+ uint256 amount = address(this).balance;
+ require(amount > 0, "No ETH to withdraw");
+ payable(target).transfer(amount );
+ emit FundsWithdrawn(msg.sender, target, amount);
}
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Missing events / Events not properly configured
Informational. This protocol doesn't rely on events to function, they are just nice to have, but not mandatory.
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.