Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Withdrawal Event Causing Contract Balance Miscalculation

empyrean

Missing Withdrawal Event Causing Contract Balance Miscalculation

Description

  • Users withdraw failed transfer credits via withdrawAllFailedCredits, receiving stored ETH.

  • No event emitted on successful withdrawal, causing event-reliant frontends to miss outflows and overstate contract ETH balance.

function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
@>// No event emitted here@>
}

Risk

Likelihood:

  • On every successful credit withdrawal post-failed payout.

  • When databases sync balances solely from events.

Impact:

  • Inflated contract balance views mislead users on liquidity.

  • Hinders accurate auditing and trust.

Proof of Concept

Its quite clear here no event emission was included in function

function withdrawAllFailedCredits(address _receiver) external {
uint256 amount = failedTransferCredits[_receiver];
require(amount > 0, "No credits to withdraw");
failedTransferCredits[msg.sender] = 0;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Withdraw failed");
@>// No event emitted here@>
}

Recommended Mitigation

Switches amount check to msg.sender only; zeros msg.sender slot; sends ETH to _receiver; adds event for tracking withdrawals.

+event FailedCreditsWithdrawn(address indexed receiver, uint256 amount);
function withdrawAllFailedCredits(address _receiver) external {
- uint256 amount = failedTransferCredits[_receiver];
+ uint256 amount = failedTransferCredits[msg.sender];
require(amount > 0, "No credits");
failedTransferCredits[msg.sender] = 0;
- (bool success,) = payable(msg.sender).call{value: amount}("");
+ (bool success,) = payable(_receiver).call{value: amount}("");
require(success, "Withdraw failed");
+ emit FailedCreditsWithdrawn(_receiver, amount);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.