TheWithdrawnevent is intended to log the amount withdrawn and the contract's new balance after withdrawal
The event emitsaddress(``this``).balanceas thenewBalanceparameter after the ETH transfer has already occurred, which will always be 0 (or near 0) for a full withdrawal, and the pre-transfer balance snapshot could be stale if concurrent deposits occur
Likelihood: LOW
This will occur every timewithdraw()is called after all treasures are claimed
Edge case occurs when ETH is sent to the contract (viareceive()) between balance snapshot and transfer
Impact: LOW
Off-chain monitoring systems receive potentially misleading event data
Theamountfield could be incorrect if concurrent deposits occur during execution
ThenewBalancefield is redundant (always 0 after full withdrawal)
Could cause minor accounting discrepancies in indexers and monitoring tools
The vulnerability causes incorrect event emission data, particularly in edge cases with concurrent ETH deposits during withdrawal execution.
Ensure consistent event data by either capturing the actual transferred amount or simplifying the event:
// Option 1: Simplify - newBalance is always 0 for full withdrawal
// Option 2: Prevent concurrent deposits during withdrawal
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.