Submission Details
Severity:
Free real ETH(don't take it seriously, it's my first try)
Root + Impact
Description
What should normally happened is only owner should recieve his failed transfer credits. But since there is no check on msg.sender == _reciever anyone can pass any address.
function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success, ) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
}
Risk
Likelihood:
-
Anyone with such small brain as mine will drain this contract dry
-
Sorry I really suck putting words together
Impact:
Your marketplace is drained dry
Proof of Concept
What should be here? Like deployed contract on testnet and attacked?
I really don't get it
Recommended Mitigation
Follow CEI
Add reentrancy protection on function withdrawAllFailedCredits(address _receiver)
In function withdrawAllFailedCredits uint256 amount = failedTransferCredits[_receiver]; _reciever should be replaced with msg.sender
Updates
Lead Judging Commences
cryptoghost
about 2 months ago
cryptoghost about 1 month ago
Submission Judgement Published Assigned finding tags:
BidBeast Marketplace: Unrestricted FailedCredits Withdrawal
withdrawAllFailedCredits allows any user to withdraw another account’s failed transfer credits due to improper use of msg.sender instead of _receiver for balance reset and transfer.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.