Recipient Mismatch in BidBeastsNFTMarket::withdrawAllFailedCredits Allows Attackers to Steal Failed Credits from Users

Description

• Normally, the function BidBeastsNFTMarket::withdrawAllFailedCredits should allow a user to withdraw their own failed transfer credits safely.

• The issue is that the function accepts a _receiver address but sends the funds to msg.sender, resets failedTransferCredits[msg.sender] instead of _receiver, and does not verify that the caller is actually the intended _receiver. This mismatch enables an attacker to withdraw another user’s funds.

Risk

Likelihood:

• This occurs whenever a victim has a positive failedTransferCredits balance and an attacker calls withdrawAllFailedCredits using the victim’s address. The function transfers the victim’s credits to the attacker and clears the wrong mapping entry.

Impact:

• An attacker can steal funds from any user with failed transfer credits, resulting in unauthorized fund exfiltration.

• As long as the _receiver’s mapping entry is not cleared, the attacker can repeatedly exploit this vulnerability until the contract’s balance is drained.

Proof of Concept

The exploit can be reproduced in a test environment:

1. Inject a non-zero failedTransferCredits[victim] entry directly into the contract’s storage using Foundry’s vm.store (mapping located at slot 5).

2. Fund the market contract to ensure it can pay out.

3. Call withdrawAllFailedCredits(victim) from an attacker-controlled address.

Because the vulnerable function sends the stored credits to msg.sender and resets the wrong mapping key, the attacker receives the victim’s balance. The test verifies the attacker’s balance increases by failedCredit, demonstrating the exploit: unauthorized withdrawal of another user’s funds.

Recommended Mitigation

To prevent this vulnerability, ensure that the caller is the intended recipient by verifying _receiver matches msg.sender before transferring funds.