Submission Details
Severity:
Host unable withdraw ETH balance from contract.
Summary:
`ChistmasDinner::withdraw` frunction is sending all the allowed tokens to the host. but `withdraw` function is not sending ETH balance to the host. which lead to stuck all the ETH funds in contract.
Impact:
ETH balace will stuck into the contract, unable to withdraw by host.
Proof of concept:
Add this to `ChristmasDinnerTest.t.sol`.
Code:
```javascript
function testHostCanNotWithdrawETH() public {
_makeParticipants();
vm.deal(user2, 10e18);
vm.prank(user2);
(bool sent,) = address(cd).call{value: 1e18}("");
require(sent);
assertEq(address(cd).balance, 1e18);
assertEq(address(deployer).balance, 0);
vm.prank(deployer);
cd.withdraw();
assertEq(address(cd).balance, 1e18);
assertEq(deployer.balance, 0);
}
```
Recommendations:
The function shoild lool like as recommended below.
```diff
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
+ _refundETH(_host)
}
```
Updates
Lead Judging Commences
0xtimefliez 11 months ago
Submission Judgement Published Assigned finding tags:
withdraw function lacks functionality to send ether
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.