b0g0_ctf - Transfering NFTs causes funds to remain stuck

[highskore]

If there's a user that minted an nft using his own funds, calling the deposit() function, the funds would be stored under his address in deposits[msg.sender] and the nft is minted to his address.

if the user transfers the nft to another address and then calls the withdraw function, it will try to withdraw funds from his own deposit deposits[msg.sender] -= depositRequired;

The result is that the first will never be able to withdraw the funds

Mitigation:

update the deposits mapping on inside the ERC712 transfer function(s)

[BogoCvetkov]

Valid one! But it was discovered first by another auditor -> https://github.com/Egis-Security/CTF_Challenge/issues/22

[BogoCvetkov]

After additional consideration I decide to split the reward for this one between this issue and #22 .

The reason is because #22 is the first report of this bug, however this submission is the first to also provides a viable recommendation to fixing it.

It seems fair to reward both auditors for their effort