Lucene search

K
code423n4Code4renaCODE423N4:2021-10-POOLTOGETHER-FINDINGS-ISSUES-62
HistoryOct 14, 2021 - 12:00 a.m.

PrizePool.awardExternalERC721() Erroneously Emits Events

2021-10-1400:00:00
Code4rena
github.com
6
solidity
try and catch
errorawardingexternalerc721 event
off-chain script
erc721 tokenid

Handle

leastwood

Vulnerability details

Impact

The awardExternalERC721() function uses solidity’s try and catch statement to ensure a single tokenId cannot deny function execution. If the try statement fails, an ErrorAwardingExternalERC721 event is emitted with the relevant error, however, the failed tokenId is not removed from the list of tokenIds emitted at the end of function execution. As a result, the AwardedExternalERC721 is emitted with the entire list of tokenIds, regardless of failure. An off-chain script or user could therefore be tricked into thinking an ERC721 tokenId was successfully awarded.

#Proof of Concept

Tools Used

Manual code review

Recommended Mitigation Steps

Consider emitting only successfully transferred tokenIds in the AwardedExternalERC721 event.


The text was updated successfully, but these errors were encountered:

All reactions