Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Host can withdraw all the amount of token before deadline from the contract.

gaurangbrdv

Summary:

In `ChristmasDinner::withdraw` function there is not check for deadline before withdrawinng all the funds for the contract to the host, Allows host to entirly sweep the contract funds before deadline end.
```javascript
@> function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
```

Impact:

Users who want refund unable to get their deposited amount.

Proof of concept:

Add this to `ChristmasDinnerTest.t.sol`.
Code:
```javascript
function testUserCannotGetTheirAmoutBackCollectedByHost() public {
vm.warp(1 + 3 days);
vm.startPrank(user1);
cd.deposit(address(wbtc), 2e18);
assertEq(wbtc.balanceOf(address(cd)), 2e18);
vm.stopPrank();
vm.prank(deployer);
cd.withdraw();
vm.startPrank(user1);
vm.warp(1 + 3 days);
vm.expectRevert();
cd.refund();
vm.stopPrank();
assertEq(wbtc.balanceOf(user1), 0);
}
```

Recommendations:

Add the check that does not allow host to withdraw funds from the contract before deadline.
Add this to `ChristmasDinner::withdraw` function.
```diff
- function withdraw() external onlyHost {
+ function withdraw() external beforeDeadline onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
```
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw is callable before deadline ends

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.