Ether Locked for Host (Host Cannot Withdraw ETH)
Summary
This contract does not allow the host to withdraw ETH that participants deposit using the receive() function. While the withdraw() function allows the host to withdraw tokens (WBTC, WETH, USDC), it does not allow the host to withdraw any ETH that has been deposited by participants.
Vulnerability Details
The receive() function allows participants to send ETH to the contract, and their balances are tracked by the etherBalance mapping.
The withdraw() function only supports the withdrawal of whitelisted tokens (WBTC, WETH, and USDC) but does not support the withdrawal of ETH.
The host is unable to withdraw any ETH that has been deposited by participants for the event, which could block access to these funds needed for the event's facilitation.
Impact
This leads to locked Ether for the host. This contract is designed to use ETH for the event (such as paying for services, purchases, etc.), the host will be unable to access these funds.
The lack of functionality for the host to withdraw ETH could severely hinder the intended operation of the contract and event facilitation.
Tools Used
Manually source code review.
Recommendations
Implement a similar function for the host to withdraw ETH as is done for the other whitelisted tokens in the
withdraw()function.This would allow the host to access and use the ETH deposited by participants to facilitate the event, preventing funds from being locked in the contract.
Lead Judging Commences
withdraw function lacks functionality to send ether
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.