TwentyOne
First Flight #29
Beginner FriendlyGameFiFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Owner Withdrawal Functionality in the TwentyOne Contract

bryanconquer

Summary

The TwentyOne contract currently lacks functionality for the contract owner to withdraw collected fees. This omission prevents the owner from accessing the contract's accumulated balance, which may include unused funds or player deposits.

This could result in funds being permanently locked within the contract, especially if payouts to players do not fully deplete the balance. Such a scenario can impact the operational sustainability of the game.

Vulnerability Details

Deploy the contract on a testnet.

  • Have a player start a game by sending 1 ETH to the startGame function.

  • Observe that the contract balance increases.

  • Attempt to withdraw the balance as the contract owner (no functionality exists to perform this action).

Impact

Locked funds reduce operational efficiency and may cause dissatisfaction for the contract owner.

  • Potential financial loss for the owner if funds cannot be retrieved.

Tools Used

manual review

Recommendations

modifier onlyOwner() {
require(msg.sender == owner, "Caller is not the owner");
_;
}
function withdralFunds() external onlyOwner {
payable(owner).transfer(address(this).balance);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Owner has no method to withdraw

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.