withdrawFees can be called by anyone. There is no onlyOwner modifier. What if, eg, the contract owner lost the private keys to the current feeAddress and wanted to update it but a third party called withdrawFees before the owner had a chance to do so? There is no good reason that anyone other than the contract owner (or someone they have delegated to) should be able to call withdrawFees.
The fees could end up locked in the contract if the keys for the fee address have been lost and a third party calls withdrawFees before feeAddress can be updated. Also, it should be the owner's control when the fees are withdrawn because it is his contract.
Manual review
Add an onlyOwner modifier. You have already imported from Ownable.sol from OpenZeppelin so you don't even need to write your own modifier:
If you want a third party to also be able to withdraw, you could either create a modifier onlyOwnerOrDelegate with a check that the calling address is in an array of permitted addresses. If you do this, you could also create the ability to add or remove addresses if you want.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.