## Critical Bug: ETH Revenue from `purchaseFanTokens` Permanently Locked in EventManager Contract
A critical financial design flaw has been identified in the `EventManager.sol` smart contract, where all ETH revenue generated from user purchases is permanently trapped. When users call the `purchaseFanTokens()` function, the ETH sent as `msg.value` is collected by the contract but has no withdrawal mechanism. This means the funds are irretrievably locked; even the contract owner or the event creator who deployed the contract cannot access the accumulated revenue. Every transaction effectively results in lost capital, representing a severe financial risk for any project utilizing this code.

The bug resides in the function's logic. The ETH is received but never forwarded or accounted for. The provided code snippet shows the function performs a token transfer but does not handle the incoming Ether, leaving it stranded in the contract's balance. This is compounded by a separate bug in the same line related to token cost calculation. The absence of a withdrawal function and any internal accounting, such as a revenue tracking mapping, makes the funds inaccessible by design.

The immediate implication is a total loss of project revenue and user funds. For any live deployment, this flaw would freeze all income generated from fan token sales, potentially crippling the business model. The required fix involves implementing a revenue tracking system—a mapping like `eventRevenue`—to log ETH per event and a secure `withdrawRevenue` function that allows only the designated event creator to claim funds. Without this patch, the contract acts as a financial black hole.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: smart_contract, ethereum, security_bug, financial_risk, solidity
- **Credibility**: unverified
- **Published**: 2026-04-11 13:22:32
- **ID**: 60052
- **URL**: https://whisperx.ai/en/intel/60052