57892 sc insight long tokens will be stuck in the escrow if customers exclusively use usdc payments in paytovenue

Submitted on: Oct 29th 2025 at 11:45:45 UTC by @Josh4324
Audit: Audit Comp | Belong
Report ID: #57892
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/BelongCheckIn.sol
Impacts: Permanent freezing of funds

Description

Brief / Intro

In the BelongCheckIn contract, venue-deposited LONG tokens are held in an Escrow and primarily disbursed as subsidies during customer LONG payments (via payToVenue with paymentInUSDC = false). If all customers exclusively pay in USDC (paymentInUSDC = true), subsidy distributions never occur, leaving LONG funds in the Escrow without a direct redemption mechanism for venues. This can result in LONG deposits being permanently locked, as there are no functions allowing venues to withdraw LONG balances or otherwise redeem unused LONG.

Vulnerability Details

LONG deposits (recorded in Escrow as longDeposits) are only disbursed via distributeLONGDiscount, which is exclusively called in the LONG payment path of payToVenue to provide subsidies (subsidyMinusFees). If customers always choose USDC payments, this path is never triggered, and no LONG outflows occur. The contract lacks any venue-direct withdrawal, burn-to-redeem, or timed release for unused LONG.

Impact Details

Venue owners may be unable to access deposited LONG, leading to locked LONG funds.

Permanent freezing of funds: deposited LONG can become permanently inaccessible to venue owners if the contract never invokes the LONG-distribution path.

References

Vulnerable code (reference line): https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/BelongCheckIn.sol#L421

Proof of Concept

Save the following test into file.test.ts and run:

yarn test test/v2/platform/file.test.ts

import { ethers } from 'hardhat';
import { BigNumber } from 'ethers';
import { loadFixture } from '@nomicfoundation/hardhat-network-helpers';
import EthCrypto from 'eth-crypto';
import {
  AccessToken,
  CreditToken,
  Escrow,
  Factory,
  Helper,
  MockTransferValidatorV2,
  RoyaltiesReceiverV2,
  SignatureVerifier,
  Staking,
  BelongCheckIn,
  VestingWalletExtended,
} from '../../../typechain-types';
import {
  deployCreditTokens,
  deployAccessTokenImplementation,
  deployCreditTokenImplementation,
  deployFactory,
  deployRoyaltiesReceiverV2Implementation,
  deployStaking,
  deployBelongCheckIn,
  deployEscrow,
  deployVestingWalletImplementation,
} from '../../../helpers/deployFixtures';
import { getSignerFromAddress, getToken, startSimulateMainnet, stopSimulate } from '../../../helpers/fork';
import { deployHelper, deploySignatureVerifier } from '../../../helpers/deployLibraries';
import { deployMockTransferValidatorV2, deployPriceFeeds } from '../../../helpers/deployMockFixtures';
import { expect } from 'chai';
import {
  CustomerInfoStruct,
  PromoterInfoStruct,
  VenueInfoStruct,
  VenueRulesStruct,
} from '../../../typechain-types/contracts/v2/platform/BelongCheckIn';
import { U, u } from '../../../helpers/math';

describe('BelongCheckIn ETH Uniswap', () => {
  const chainId = 31337;

  const WETH_ADDRESS = '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2';
  const USDC_ADDRESS = '0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48';
  const ENA_ADDRESS = '0x57e114B691Db790C35207b2e685D4A43181e6061'; //used instead of LONG

  const USDC_WHALE_ADDRESS = '0x8EB8a3b98659Cce290402893d0123abb75E3ab28';
  const WETH_WHALE_ADDRESS = '0x57757E3D981446D585Af0D9Ae4d7DF6D64647806';
  const ENA_WHALE_ADDRESS = '0xF977814e90dA44bFA03b6295A0616a897441aceC';

  const UNISWAP_FACTORY_ADDRESS = '0x1F98431c8aD98523631AE4a59f267346ea31F984';
  const UNISWAP_ROUTER_ADDRESS = '0xE592427A0AEce92De3Edee1F18E0157C05861564';
  const UNISWAP_QUOTER_ADDRESS = '0xb27308f9F90D607463bb33eA1BeBb41C27CE5AB6';
  const POOL_FEE = 3000;
  const MAX_PRICEFEED_DELAY = 3600;

  const usdcPercentage = 2000;
  const convenienceFeeAmount = U(5, 6); // $5

  const paymentsInfo: BelongCheckIn.PaymentsInfoStruct = {
    swapPoolFees: POOL_FEE,
    slippageBps: BigNumber.from(10).pow(27).sub(1),
    swapV3Factory: UNISWAP_FACTORY_ADDRESS,
    swapV3Router: UNISWAP_ROUTER_ADDRESS,
    swapV3Quoter: UNISWAP_QUOTER_ADDRESS,
    wNativeCurrency: WETH_ADDRESS,
    usdc: USDC_ADDRESS,
    long: ENA_ADDRESS,
    maxPriceFeedDelay: MAX_PRICEFEED_DELAY,
  };

  const stakingRewards: [
    BelongCheckIn.RewardsInfoStruct,
    BelongCheckIn.RewardsInfoStruct,
    BelongCheckIn.RewardsInfoStruct,
    BelongCheckIn.RewardsInfoStruct,
    BelongCheckIn.RewardsInfoStruct,
  ] = [
    {
      venueStakingInfo: {
        depositFeePercentage: 1000,
        convenienceFeeAmount,
      } as BelongCheckIn.VenueStakingRewardInfoStruct,
      promoterStakingInfo: {
        usdcPercentage,
        longPercentage: 800,
      } as BelongCheckIn.PromoterStakingRewardInfoStruct,
    } as BelongCheckIn.RewardsInfoStruct,
    {
      venueStakingInfo: {
        depositFeePercentage: 900,
        convenienceFeeAmount,
      } as BelongCheckIn.VenueStakingRewardInfoStruct,
      promoterStakingInfo: {
        usdcPercentage,
        longPercentage: 700,
      } as BelongCheckIn.PromoterStakingRewardInfoStruct,
    } as BelongCheckIn.RewardsInfoStruct,
    {
      venueStakingInfo: {
        depositFeePercentage: 800,
        convenienceFeeAmount,
      } as BelongCheckIn.VenueStakingRewardInfoStruct,
      promoterStakingInfo: {
        usdcPercentage,
        longPercentage: 600,
      } as BelongCheckIn.PromoterStakingRewardInfoStruct,
    } as BelongCheckIn.RewardsInfoStruct,
    {
      venueStakingInfo: {
        depositFeePercentage: 700,
        convenienceFeeAmount,
      } as BelongCheckIn.VenueStakingRewardInfoStruct,
      promoterStakingInfo: {
        usdcPercentage,
        longPercentage: 500,
      } as BelongCheckIn.PromoterStakingRewardInfoStruct,
    } as BelongCheckIn.RewardsInfoStruct,
    {
      venueStakingInfo: {
        depositFeePercentage: 500,
        convenienceFeeAmount,
      } as BelongCheckIn.VenueStakingRewardInfoStruct,
      promoterStakingInfo: {
        usdcPercentage,
        longPercentage: 400,
      } as BelongCheckIn.PromoterStakingRewardInfoStruct,
    } as BelongCheckIn.RewardsInfoStruct,
  ];
  const fees: BelongCheckIn.FeesStruct = {
    referralCreditsAmount: 3,
    affiliatePercentage: 1000,
    longCustomerDiscountPercentage: 300,
    platformSubsidyPercentage: 300,
    processingFeePercentage: 250,
    buybackBurnPercentage: 5000,
  };
  let implementations: Factory.ImplementationsStruct, contracts: BelongCheckIn.ContractsStruct;

  before(startSimulateMainnet);
  after(stopSimulate);

  async function fixture() {
    const [admin, treasury, manager, minter, burner, pauser, referral] = await ethers.getSigners();
    const signer = EthCrypto.createIdentity();

    const WETH_whale = await getSignerFromAddress(WETH_WHALE_ADDRESS);
    const USDC_whale = await getSignerFromAddress(USDC_WHALE_ADDRESS);
    const ENA_whale = await getSignerFromAddress(ENA_WHALE_ADDRESS);
    const WETH = await getToken(WETH_ADDRESS);
    const USDC = await getToken(USDC_ADDRESS);
    const ENA = await getToken(ENA_ADDRESS);

    const signatureVerifier: SignatureVerifier = await deploySignatureVerifier();
    const validator: MockTransferValidatorV2 = await deployMockTransferValidatorV2();
    const accessTokenImplementation: AccessToken = await deployAccessTokenImplementation(signatureVerifier.address);
    const royaltiesReceiverV2Implementation: RoyaltiesReceiverV2 = await deployRoyaltiesReceiverV2Implementation();
    const creditTokenImplementation: CreditToken = await deployCreditTokenImplementation();
    const vestingWallet: VestingWalletExtended = await deployVestingWalletImplementation();

    const treasuryUsdcBalance = await USDC.balanceOf(treasury.address);
    if (!treasuryUsdcBalance.isZero()) {
      await USDC.connect(treasury).transfer(USDC_whale.address, treasuryUsdcBalance);
    }

    implementations = {
      accessToken: accessTokenImplementation.address,
      creditToken: creditTokenImplementation.address,
      royaltiesReceiver: royaltiesReceiverV2Implementation.address,
      vestingWallet: vestingWallet.address,
    };

    const factory: Factory = await deployFactory(
      treasury.address,
      signer.address,
      signatureVerifier.address,
      validator.address,
      implementations,
    );

    const helper: Helper = await deployHelper();
    const staking: Staking = await deployStaking(admin.address, treasury.address, ENA_ADDRESS);

    const referralCode = EthCrypto.hash.keccak256([
      { type: 'address', value: referral.address },
      { type: 'address', value: factory.address },
      { type: 'uint256', value: chainId },
    ]);

    await factory.connect(referral).createReferralCode();

    const belongCheckIn: BelongCheckIn = await deployBelongCheckIn(
      signatureVerifier.address,
      helper.address,
      admin.address,
      paymentsInfo,
    );

    const escrow: Escrow = await deployEscrow(belongCheckIn.address);
    const { pf1, pf2, pf2_2, pf2_3, pf3 } = await deployPriceFeeds();
    const { venueToken, promoterToken } = await deployCreditTokens(
      true,
      false,
      factory.address,
      signer.privateKey,
      admin,
      manager.address,
      belongCheckIn.address,
      belongCheckIn.address,
    );

    contracts = {
      factory: factory.address,
      escrow: escrow.address,
      staking: staking.address,
      venueToken: venueToken.address,
      promoterToken: promoterToken.address,
      longPF: pf1.address,
    };

    await belongCheckIn.setContracts(contracts);

    return {
      signatureVerifier,
      helper,
      factory,
      staking,
      venueToken,
      promoterToken,
      belongCheckIn,
      escrow,
      pf1,
      pf2,
      pf2_2,
      pf2_3,
      pf3,
      admin,
      treasury,
      manager,
      minter,
      burner,
      pauser,
      referral,
      signer,
      referralCode,
      WETH,
      USDC,
      ENA,
      WETH_whale,
      USDC_whale,
      ENA_whale,
    };
  }

  describe('Funds Stuck', () => {
    it('payToVenue() (w/o promoter)', async () => {
      const { belongCheckIn, signer, USDC, USDC_whale, ENA_whale, escrow, ENA } = await loadFixture(fixture);

      const uri = 'uriuri';
      const venueAmount = await u(100, USDC);
      const venue = USDC_whale.address;
      const venueMessage = ethers.utils.solidityKeccak256(
        ['address', 'bytes32', 'string', 'uint256'],
        [venue, ethers.constants.HashZero, uri, chainId],
      );
      const venueSignature = EthCrypto.sign(signer.privateKey, venueMessage);
      const venueInfo: VenueInfoStruct = {
        rules: { paymentType: 1, bountyType: 0, longPaymentType: 0 } as VenueRulesStruct,
        venue,
        amount: venueAmount,
        referralCode: ethers.constants.HashZero,
        uri,
        signature: venueSignature,
      };
      const willBeTaken = convenienceFeeAmount.add(venueAmount);
      await USDC.connect(USDC_whale).approve(belongCheckIn.address, willBeTaken);
      await belongCheckIn.connect(USDC_whale).venueDeposit(venueInfo);

      const customerAmount = await u(5, USDC);
      const customerMessage = ethers.utils.solidityKeccak256(
        ['bool', 'uint128', 'uint24', 'address', 'address', 'address', 'uint256', 'uint256'],
        [
          true, // paymentInUSDC
          0, // visitBountyAmount (uint24, adjust to uint256 if needed)
          0, // spendBountyPercentage (uint24, adjust to uint256 if needed)
          ENA_whale.address, // customer
          USDC_whale.address, // venueToPayFor
          ethers.constants.AddressZero, // promoter
          customerAmount, // amount
          chainId, // block.chainid
        ],
      );
      const customerSignature = EthCrypto.sign(signer.privateKey, customerMessage);
      const customerInfo: CustomerInfoStruct = {
        paymentInUSDC: true,
        visitBountyAmount: 0,
        spendBountyPercentage: 0,
        customer: ENA_whale.address,
        venueToPayFor: USDC_whale.address,
        promoter: ethers.constants.AddressZero,
        amount: customerAmount,
        signature: customerSignature,
      };

      await USDC.connect(USDC_whale).transfer(ENA_whale.address, customerAmount);
      await USDC.connect(ENA_whale).approve(belongCheckIn.address, customerAmount);

      const tx = await belongCheckIn.connect(ENA_whale).payToVenue(customerInfo);

      const venueBalance_escrow = await ENA.balanceOf(escrow.address);

      console.log('venueBalance_escrow', venueBalance_escrow);

      // No function to withdraw long funds by venue owner
    });
  });
});

Example test output (shows LONG tokens remain in Escrow):

venueBalance_escrow BigNumber { value: "7957086772067060989" }
      ✔ payToVenue() (w/o promoter) (2096ms)
  1 passing (6s)

Notes / Next steps

The contract should provide a path for venues to reclaim LONG tokens that were deposited into Escrow but never distributed (for example: a venue-withdraw function, burn-to-redeem, owner-triggered distribution, or a timed/unclaimed-release mechanism).
Any proposed fix should preserve intended subsidy mechanics while ensuring deposited LONG cannot be permanently locked when customers exclusively pay in USDC.

Previous57703 sc medium dos with revert via unbounded loop Next57663 sc insight gas storage optimization erc1155info struct in structures sol can save one slot through field reordering

Was this helpful?

import { ethers } from 'hardhat'; import { BigNumber } from 'ethers'; import { loadFixture } from '@nomicfoundation/hardhat-network-helpers'; import EthCrypto from 'eth-crypto'; import { AccessToken, CreditToken, Escrow, Factory, Helper, MockTransferValidatorV2, RoyaltiesReceiverV2, SignatureVerifier, Staking, BelongCheckIn, VestingWalletExtended, } from '../../../typechain-types'; import { deployCreditTokens, deployAccessTokenImplementation, deployCreditTokenImplementation, deployFactory, deployRoyaltiesReceiverV2Implementation, deployStaking, deployBelongCheckIn, deployEscrow, deployVestingWalletImplementation, } from '../../../helpers/deployFixtures'; import { getSignerFromAddress, getToken, startSimulateMainnet, stopSimulate } from '../../../helpers/fork'; import { deployHelper, deploySignatureVerifier } from '../../../helpers/deployLibraries'; import { deployMockTransferValidatorV2, deployPriceFeeds } from '../../../helpers/deployMockFixtures'; import { expect } from 'chai'; import { CustomerInfoStruct, PromoterInfoStruct, VenueInfoStruct, VenueRulesStruct, } from '../../../typechain-types/contracts/v2/platform/BelongCheckIn'; import { U, u } from '../../../helpers/math'; describe('BelongCheckIn ETH Uniswap', () => { const chainId = 31337; const WETH_ADDRESS = '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2'; const USDC_ADDRESS = '0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48'; const ENA_ADDRESS = '0x57e114B691Db790C35207b2e685D4A43181e6061'; //used instead of LONG const USDC_WHALE_ADDRESS = '0x8EB8a3b98659Cce290402893d0123abb75E3ab28'; const WETH_WHALE_ADDRESS = '0x57757E3D981446D585Af0D9Ae4d7DF6D64647806'; const ENA_WHALE_ADDRESS = '0xF977814e90dA44bFA03b6295A0616a897441aceC'; const UNISWAP_FACTORY_ADDRESS = '0x1F98431c8aD98523631AE4a59f267346ea31F984'; const UNISWAP_ROUTER_ADDRESS = '0xE592427A0AEce92De3Edee1F18E0157C05861564'; const UNISWAP_QUOTER_ADDRESS = '0xb27308f9F90D607463bb33eA1BeBb41C27CE5AB6'; const POOL_FEE = 3000; const MAX_PRICEFEED_DELAY = 3600; const usdcPercentage = 2000; const convenienceFeeAmount = U(5, 6); // $5 const paymentsInfo: BelongCheckIn.PaymentsInfoStruct = { swapPoolFees: POOL_FEE, slippageBps: BigNumber.from(10).pow(27).sub(1), swapV3Factory: UNISWAP_FACTORY_ADDRESS, swapV3Router: UNISWAP_ROUTER_ADDRESS, swapV3Quoter: UNISWAP_QUOTER_ADDRESS, wNativeCurrency: WETH_ADDRESS, usdc: USDC_ADDRESS, long: ENA_ADDRESS, maxPriceFeedDelay: MAX_PRICEFEED_DELAY, }; const stakingRewards: [ BelongCheckIn.RewardsInfoStruct, BelongCheckIn.RewardsInfoStruct, BelongCheckIn.RewardsInfoStruct, BelongCheckIn.RewardsInfoStruct, BelongCheckIn.RewardsInfoStruct, ] = [ { venueStakingInfo: { depositFeePercentage: 1000, convenienceFeeAmount, } as BelongCheckIn.VenueStakingRewardInfoStruct, promoterStakingInfo: { usdcPercentage, longPercentage: 800, } as BelongCheckIn.PromoterStakingRewardInfoStruct, } as BelongCheckIn.RewardsInfoStruct, { venueStakingInfo: { depositFeePercentage: 900, convenienceFeeAmount, } as BelongCheckIn.VenueStakingRewardInfoStruct, promoterStakingInfo: { usdcPercentage, longPercentage: 700, } as BelongCheckIn.PromoterStakingRewardInfoStruct, } as BelongCheckIn.RewardsInfoStruct, { venueStakingInfo: { depositFeePercentage: 800, convenienceFeeAmount, } as BelongCheckIn.VenueStakingRewardInfoStruct, promoterStakingInfo: { usdcPercentage, longPercentage: 600, } as BelongCheckIn.PromoterStakingRewardInfoStruct, } as BelongCheckIn.RewardsInfoStruct, { venueStakingInfo: { depositFeePercentage: 700, convenienceFeeAmount, } as BelongCheckIn.VenueStakingRewardInfoStruct, promoterStakingInfo: { usdcPercentage, longPercentage: 500, } as BelongCheckIn.PromoterStakingRewardInfoStruct, } as BelongCheckIn.RewardsInfoStruct, { venueStakingInfo: { depositFeePercentage: 500, convenienceFeeAmount, } as BelongCheckIn.VenueStakingRewardInfoStruct, promoterStakingInfo: { usdcPercentage, longPercentage: 400, } as BelongCheckIn.PromoterStakingRewardInfoStruct, } as BelongCheckIn.RewardsInfoStruct, ]; const fees: BelongCheckIn.FeesStruct = { referralCreditsAmount: 3, affiliatePercentage: 1000, longCustomerDiscountPercentage: 300, platformSubsidyPercentage: 300, processingFeePercentage: 250, buybackBurnPercentage: 5000, }; let implementations: Factory.ImplementationsStruct, contracts: BelongCheckIn.ContractsStruct; before(startSimulateMainnet); after(stopSimulate); async function fixture() { const [admin, treasury, manager, minter, burner, pauser, referral] = await ethers.getSigners(); const signer = EthCrypto.createIdentity(); const WETH_whale = await getSignerFromAddress(WETH_WHALE_ADDRESS); const USDC_whale = await getSignerFromAddress(USDC_WHALE_ADDRESS); const ENA_whale = await getSignerFromAddress(ENA_WHALE_ADDRESS); const WETH = await getToken(WETH_ADDRESS); const USDC = await getToken(USDC_ADDRESS); const ENA = await getToken(ENA_ADDRESS); const signatureVerifier: SignatureVerifier = await deploySignatureVerifier(); const validator: MockTransferValidatorV2 = await deployMockTransferValidatorV2(); const accessTokenImplementation: AccessToken = await deployAccessTokenImplementation(signatureVerifier.address); const royaltiesReceiverV2Implementation: RoyaltiesReceiverV2 = await deployRoyaltiesReceiverV2Implementation(); const creditTokenImplementation: CreditToken = await deployCreditTokenImplementation(); const vestingWallet: VestingWalletExtended = await deployVestingWalletImplementation(); const treasuryUsdcBalance = await USDC.balanceOf(treasury.address); if (!treasuryUsdcBalance.isZero()) { await USDC.connect(treasury).transfer(USDC_whale.address, treasuryUsdcBalance); } implementations = { accessToken: accessTokenImplementation.address, creditToken: creditTokenImplementation.address, royaltiesReceiver: royaltiesReceiverV2Implementation.address, vestingWallet: vestingWallet.address, }; const factory: Factory = await deployFactory( treasury.address, signer.address, signatureVerifier.address, validator.address, implementations, ); const helper: Helper = await deployHelper(); const staking: Staking = await deployStaking(admin.address, treasury.address, ENA_ADDRESS); const referralCode = EthCrypto.hash.keccak256([ { type: 'address', value: referral.address }, { type: 'address', value: factory.address }, { type: 'uint256', value: chainId }, ]); await factory.connect(referral).createReferralCode(); const belongCheckIn: BelongCheckIn = await deployBelongCheckIn( signatureVerifier.address, helper.address, admin.address, paymentsInfo, ); const escrow: Escrow = await deployEscrow(belongCheckIn.address); const { pf1, pf2, pf2_2, pf2_3, pf3 } = await deployPriceFeeds(); const { venueToken, promoterToken } = await deployCreditTokens( true, false, factory.address, signer.privateKey, admin, manager.address, belongCheckIn.address, belongCheckIn.address, ); contracts = { factory: factory.address, escrow: escrow.address, staking: staking.address, venueToken: venueToken.address, promoterToken: promoterToken.address, longPF: pf1.address, }; await belongCheckIn.setContracts(contracts); return { signatureVerifier, helper, factory, staking, venueToken, promoterToken, belongCheckIn, escrow, pf1, pf2, pf2_2, pf2_3, pf3, admin, treasury, manager, minter, burner, pauser, referral, signer, referralCode, WETH, USDC, ENA, WETH_whale, USDC_whale, ENA_whale, }; } describe('Funds Stuck', () => { it('payToVenue() (w/o promoter)', async () => { const { belongCheckIn, signer, USDC, USDC_whale, ENA_whale, escrow, ENA } = await loadFixture(fixture); const uri = 'uriuri'; const venueAmount = await u(100, USDC); const venue = USDC_whale.address; const venueMessage = ethers.utils.solidityKeccak256( ['address', 'bytes32', 'string', 'uint256'], [venue, ethers.constants.HashZero, uri, chainId], ); const venueSignature = EthCrypto.sign(signer.privateKey, venueMessage); const venueInfo: VenueInfoStruct = { rules: { paymentType: 1, bountyType: 0, longPaymentType: 0 } as VenueRulesStruct, venue, amount: venueAmount, referralCode: ethers.constants.HashZero, uri, signature: venueSignature, }; const willBeTaken = convenienceFeeAmount.add(venueAmount); await USDC.connect(USDC_whale).approve(belongCheckIn.address, willBeTaken); await belongCheckIn.connect(USDC_whale).venueDeposit(venueInfo); const customerAmount = await u(5, USDC); const customerMessage = ethers.utils.solidityKeccak256( ['bool', 'uint128', 'uint24', 'address', 'address', 'address', 'uint256', 'uint256'], [ true, // paymentInUSDC 0, // visitBountyAmount (uint24, adjust to uint256 if needed) 0, // spendBountyPercentage (uint24, adjust to uint256 if needed) ENA_whale.address, // customer USDC_whale.address, // venueToPayFor ethers.constants.AddressZero, // promoter customerAmount, // amount chainId, // block.chainid ], ); const customerSignature = EthCrypto.sign(signer.privateKey, customerMessage); const customerInfo: CustomerInfoStruct = { paymentInUSDC: true, visitBountyAmount: 0, spendBountyPercentage: 0, customer: ENA_whale.address, venueToPayFor: USDC_whale.address, promoter: ethers.constants.AddressZero, amount: customerAmount, signature: customerSignature, }; await USDC.connect(USDC_whale).transfer(ENA_whale.address, customerAmount); await USDC.connect(ENA_whale).approve(belongCheckIn.address, customerAmount); const tx = await belongCheckIn.connect(ENA_whale).payToVenue(customerInfo); const venueBalance_escrow = await ENA.balanceOf(escrow.address); console.log('venueBalance_escrow', venueBalance_escrow); // No function to withdraw long funds by venue owner }); }); });

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of Concept

hashtagNotes / Next steps

Description

Brief / Intro

Vulnerability Details

Impact Details

References

Proof of Concept

Notes / Next steps