Submission Details
Severity:
withdrawFees function should have onlyOwner modifier
Summary
The function PuppyRaffle::withdrawFees should be used by the owner, but currently anyone can call it.
Vulnerability Details
@> function withdrawFees() external {
require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!");
uint256 feesToWithdraw = totalFees;
totalFees = 0;
(bool success,) = feeAddress.call{value: feesToWithdraw}("");
require(success, "PuppyRaffle: Failed to withdraw fees");
}
The function PuppyRaffle::withdrawFees allows you to collect the fees on the contract by sending them to the address chosen by the owner, therefore the owner should be the only one who can call the method.
Impact
The impact is low, because if someone calls the function, the fees present on the contract are still sent to the address chosen by the owner, so there is no loss of funds.
Tools Used
Manual review
Recommendations
Add the onlyOwner modifier.
- function withdrawFees() external {
+ function withdrawFees() external onlyOwner {
Updates
Lead Judging Commences
Hamiltonite about 2 years ago
Submission Judgement Published Reason: User experience and design improvement
Rewards breakdown
nSLOC
143This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.