Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unprotected Withdrawal Function Allows Premature Fund Drainage

shrxyeh

Summary

The withdraw() function lacks a deadline check, allowing the host to withdraw funds while the contract is still accepting deposits.

Vulnerability Details

The withdraw() function allows the host to withdraw funds at any time, without checking if deposits are still being accepted. This lack of a deadline check exposes the contract to the risk of premature fund drainage, where the host can withdraw funds while new deposits are still ongoing. This could lead to users losing their funds if they deposit after the withdrawal. The absence of such a check breaks the trust assumption of the contract.

function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
// No deadline check, can withdraw at any time
}

Impact

  • Host can drain contract while deposits are still allowed

  • Users could lose funds by depositing after withdrawal

  • Breaks the trust assumption of the contract

Tools Used

Foundry

Recommendations

function withdraw() external onlyHost {
require(block.timestamp > deadline, "Cannot withdraw before deadline");
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw is callable before deadline ends

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.