Failed credits withdrawal function allows theft of all contract funds
Description:
The withdrawAllFailedCredits() function contains a critical vulnerability where it reads the balance of one user (_receiver) (parameter is controled by attacker) but resets the balance of another user (msg.sender) and sends funds to msg.sender. This creates a severe vulnerability where any user can drain all ETH from the contract by specifying other users' addresses as the _receiver parameter while receiving the funds themselves.
Attack path:
Attacker calls
withdrawAllFailedCredits(victimAddress)wherevictimAddresshas accumulated failed ETHThe function reads
amount = failedTransferCredits[victimAddress](victim's balance)The function incorrectly resets
failedTransferCredits[msg.sender] = 0(attacker's balance, not victim's)The function sends
amountETH topayable(msg.sender)(attacker receives funds)Victim's balance
failedTransferCredits[victimAddress]remains unchangedAttacker can repeat this process indefinitely to drain all ETH from the contract
Impact:
Complete theft of the entire contract balance (failed transfer ETH + fees)
Recommended Mitigation:
Fix the function that msg.sender can set different receiver address, if msg.sender could not receive ETH
Lead Judging Commences
BidBeast Marketplace: Unrestricted FailedCredits Withdrawal
withdrawAllFailedCredits allows any user to withdraw another account’s failed transfer credits due to improper use of msg.sender instead of _receiver for balance reset and transfer.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.