Submission Details
Severity:
Missing Deadline Validation in `withdraw()` Function
Description: The withdraw() function lacks deadline validation, allowing the host to withdraw funds before the deadline. The actual vulnerability is found here:
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
Impact:
Host can drain all user deposits before the event
Complete loss of user funds
Breaks the trust model of the contract
Proof of Concept:
function testPrematureWithdraw() public {
// Setup
vm.prank(host);
christmasDinner.setDeadline(7); // 7 days deadline
// Make deposits
vm.deal(alice, 1 ether);
vm.prank(alice);
(bool success,) = address(christmasDinner).call{value: 1 ether}("");
require(success);
// Host withdraws immediately
vm.prank(host);
christmasDinner.withdraw();
// Verify premature withdrawal succeeded
assertEq(address(christmasDinner).balance, 0);
}
Recommended Mitigation: Add deadline check to withdraw() function:
function withdraw() external onlyHost {
require(block.timestamp > deadline, "Cannot withdraw before deadline");
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
Updates
Lead Judging Commences
0xtimefliez 7 months ago
Submission Judgement Published Assigned finding tags:
withdraw is callable before deadline ends
0xtimefliez 7 months ago
Submission Judgement Published Assigned finding tags:
withdraw is callable before deadline ends
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.