Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Funds Withdrawal Without Balance Check

0xserpent

Summary

The contract owner can withdraw all funds from the contract without considering outstanding user claims, potentially leaving users unable to claim their rewards.

Vulnerability Details

The withdrawFunds() function allows the owner to transfer the entire contract balance:

(bool success,) = payable(owner).call{value: address(this).balance}("");

There is no check to ensure that enough funds remain in the contract to cover user rewards. This can lead to situations where users are unable to claim their rewards if the owner withdraws all the Ether.

Impact

If the contract’s balance is drained, users will not be able to claim their rewards, resulting in significant user dissatisfaction and potential financial loss. This could lead to the contract being considered fraudulent or mismanaged.

Tools Used

Manual code review

Recommendations

Implement a function to calculate the total value of all unclaimed rewards and ensure the contract retains sufficient funds before allowing any withdrawal. For example:

require(address(this).balance > totalPendingRewards(), "Insufficient funds to cover rewards");
Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.