Submission Details
Impact:
Likelihood:
Lack of Synchronization and Error Handling in Fund Transfers and Balance Updates
Root + Impact
Description
Owner transfers APT funds to the contract and updates internal balance accordingly. However, any failure or errors during transfer are not fully checked, which may cause discrepancies between the internal and real balances.
coin::transfer<AptosCoin>(owner, resource_addr, amount);
state.balance = state.balance + amount; @> // No error handling after transfer call
Risk
Likelihood:
-
Network or unexpected errors may cause transfer failure.
-
Balance may be updated despite transfer failure.
Impact:
-
Contract balance mismatch causes fund management errors.
-
User claims or accounting may be incorrect.
Proof of Concept
If transfer fails but balance is increased, internal state is inconsistent.
Recommended Mitigation
-fun fund_pizza_drop(owner: &signer, amount: u64) acquires ModuleData, State {
- let state = borrow_global_mut<State>(get_resource_address());
- assert!(signer::address_of(owner) == state.owner, E_NOT_OWNER);
- let resource_addr = get_resource_address();
- coin::transfer<AptosCoin>(owner, resource_addr, amount);
- state.balance = state.balance + amount;
-}
+fun fund_pizza_drop(owner: &signer, amount: u64) acquires ModuleData, State {
+ let state = borrow_global_mut<State>(get_resource_address());
+ assert!(signer::address_of(owner) == state.owner, E_NOT_OWNER);
+ let resource_addr = get_resource_address();
+ let transfer_result = coin::transfer<AptosCoin>(owner, resource_addr, amount);
+ if (!transfer_result.success) {
+ abort E_INSUFFICIENT_FUND; // Or suitable error code to prevent state update
+ }
+ state.balance = state.balance + amount;
+}
Rewards breakdown
nSLOC
125This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.