Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Withdrawal Event Causing Contract Balance Miscalculation

empyrean

Missing Withdrawal Event Causing Contract Balance Miscalculation

Description

  • Users withdraw failed transfer credits via withdrawAllFailedCredits, receiving stored ETH.

  • No event emitted on successful withdrawal, causing event-reliant frontends to miss outflows and overstate contract ETH balance.

function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
@>// No event emitted here@>
}

Risk

Likelihood:

  • On every successful credit withdrawal post-failed payout.

  • When databases sync balances solely from events.

Impact:

  • Inflated contract balance views mislead users on liquidity.

  • Hinders accurate auditing and trust.

Proof of Concept

Its quite clear here no event emission was included in function

function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
@>// No event emitted here@>
}

Recommended Mitigation

Switches amount check to msg.sender only; zeros msg.sender slot; sends ETH to _receiver; adds event for tracking withdrawals.

+event FailedCreditsWithdrawn(address indexed receiver, uint256 amount);
function withdrawAllFailedCredits(address _receiver) external {
- uint256 amount = failedTransferCredits[_receiver];
+ uint256 amount = failedTransferCredits[msg.sender];
require(amount > 0, "No credits");
failedTransferCredits[msg.sender] = 0;
- (bool success,) = payable(msg.sender).call{value: amount}("");
+ (bool success,) = payable(_receiver).call{value: amount}("");
require(success, "Withdraw failed");
+ emit FailedCreditsWithdrawn(_receiver, amount);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!