Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Withdraw Timing

m3dython

Location

function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}

Issue

  • The contract allows the Host to withdraw all funds from the contract at any time, regardless of whether the deadline has passed.

  • While this might be intentional, it poses a risk that the Host could “rug-pull” before the event or even before the deadline, leaving participants without recourse.

Impact

  • Participants might lose confidence or funds if the Host withdraws prematurely.

  • The original intent (“No Backsies,” and ensuring the funds are used for the event) could be undermined if the Host is malicious.

Recommendation

  • Require that withdraw() can only be called after the deadline (or a grace period):

    modifier afterDeadline() {
    require(block.timestamp > deadline, "Cannot withdraw before deadline");
    _;
    }
    function withdraw() external onlyHost afterDeadline {
    ...
    }

  • Alternatively, allow early withdrawal only if certain conditions are met (e.g., majority consent via an off-chain or on-chain vote).

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw is callable before deadline ends

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!