Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing withdrawETH Function

elminnyc

Summary

The contract lacks a function to withdraw ETH, only allowing the withdrawal of ERC20 tokens. This prevents the host from accessing ETH funds sent to the contract via the receive() function.

Vulnerability Details

The contract has a withdraw() function to withdraw ERC20 tokens (WBTC, WETH, USDC) but does not have a corresponding function to withdraw ETH. The receive() function allows users to send ETH to the contract, but without a withdrawETH function, these funds are locked in the contract.

Impact

  • Locked ETH Funds: ETH sent to the contract via the receive() function cannot be retrieved by the host.

Tools Used

  • Manual Code Review

Recommendations

Implement a withdrawETH function, similar to withdraw(), that allows the host to withdraw the contract's ETH balance:

function withdrawETH() external onlyHost {
require(block.timestamp >= deadline, "Deadline not reached");
address payable _host = payable(getHost());
(bool success, ) = _host.call{value: address(this).balance}("");
require(success, "ETH transfer failed");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw function lacks functionality to send ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!