Owner Can Withdraw All Funds Without Considering User Rewards
Summary
The contract allows the owner to withdraw all funds in the contract, including those that may be allocated as rewards for users. There is no mechanism to safeguard user rewards before allowing the owner to withdraw.
Vulnerability Details
The withdrawFunds function allows the owner to transfer the entire contract balance to their own address without considering outstanding rewards owed to users. This could lead to a situation where users are unable to claim their rewards after the owner withdraws all the funds.
Impact
Users may lose the ability to claim their rewards if the owner withdraws all contract funds, leading to significant loss of trust and potentially legal consequences.
Tools Used
Manual Code Review
Recommendations
Introduce a mechanism that tracks the total rewards owed to users and ensures that the owner can only withdraw funds that exceed this amount. For example, a totalRewards variable could be incremented when rewards are added in the openBox function and decremented when claimed.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.