Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing deadline Check in withdraw()

elminnyc

Summary

The withdraw() function lacks a check to ensure that the current time is after the deadline, allowing the host to withdraw funds prematurely.

Vulnerability Details

The withdraw() function allows the host to withdraw all the collected tokens from the contract. However, it does not verify that the current timestamp (block.timestamp) is greater than the deadline. This means the host can withdraw the funds even before the event's deadline, potentially breaking the trust model of the contract.

function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}

Impact

  • Premature Withdrawal: The host can withdraw funds before the deadline, potentially leaving participants without the funds being used for the intended purpose (the event).

  • Breach of Trust: Participants expect the funds to be locked until the deadline, and this vulnerability breaks that trust.

Tools Used

  • Manual Code Review

Recommendations

Add a check to ensure that block.timestamp is greater than or equal to the deadline:

function withdraw() external onlyHost {
require(block.timestamp >= deadline, "Deadline not reached");
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw is callable before deadline ends

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!