Trick or Treat

Description: The contract sends ETH without verifying the recipient's address in two instances:

• trickOrTreat: Refunds excess ETH to msg.sender.

• withdrawFees: Transfers contract balance to the owner.

• Found in src/TrickOrTreat.sol Line: 48

  function trickOrTreat(string memory _treatName) public payable nonReentrant {

• Found in src/TrickOrTreat.sol Line: 146

  function withdrawFees() public onlyOwner {

Impact:

1. If msg.sender is manipulated or if the owner is compromised, funds could be sent to unintended recipients.

2. Lack of address validation can lead to unauthorized withdrawals or refunds.

Proof of Concept:

• Scenario: An attacker could exploit a vulnerability in the contract or the Ethereum network to impersonate msg.sender or the owner.

• Exploit: By manipulating the contract state or transaction context, funds could be redirected to an attacker's address.

Recommended Mitigation:

• Implement checks to ensure that msg.sender is the intended recipient before sending ETH.

• Ensure the owner address is secure and regularly verified.

• Consider using OpenZeppelin's Address.sendValue for safer ETH transfers.