Lack of Access Control in `withdrawFees` Function -Anyone can withdraw funds to the feeAdress
Summary
The withdrawFees function in the PuppyRaffle contract lacks proper access control, allowing any address to withdraw the fees. This could lead to unauthorized withdrawals and potential loss of funds.
Vulnerability Details
The withdrawFees function is designed to allow the owner of the contract to withdraw the accumulated fees. However, the function does not have any access control mechanisms in place. This means that any address can call the function and withdraw the fees.
PoC
An attacker could simply call the withdrawFees function to withdraw the fees:
Impact
Unauthorized withdrawals could lead to loss of funds. This could disrupt the operation of the contract and potentially lead to a loss of trust in the contract.
Recommendations
To mitigate this risk, add an access control mechanism to the withdrawFees function to ensure that only authorized addresses can withdraw the fees. This could be done using the onlyOwner modifier provided by the OpenZeppelin Ownable contract:
This will ensure that only the owner of the contract can withdraw the fees, preventing unauthorized withdrawals.```
Lead Judging Commences
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.