Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Premature Token Withdrawal by Host

kobbyeugene

Summary

Host can withdraw all tokens before the deadline, which can prevent participants from receiving refunds. This can also be a potential fraud activity by whoever is the host.

Vulnerability Details

//@audit no deadline check
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}

In the withdraw()there is no check on the deadline before withdrawal meaning the hostcan withdraw the current balance of the contract (including the participants) before the deadline.

Impact

If the current hostis a scammer, he hostcan just withdraw all the funds in the contract and not decide not to go with the dinner plan. Also, users who decide to get a refund won't be able to get their tokens or ETH back since the contract doesn't have any funds in it.

Tools Used

Manual review

Recommendations

The deadline modifier should be add the the withdraw()

Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw is callable before deadline ends

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!