Submission Details
Severity:
The Received Ether will be stuck forever caused by lack of withdraw mechanism
Description:
In the ChristmasDinner::withdraw function, there is no such mechanism to withdraw ether by host
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
@> // no mechanism to withdraw ether
}
Impact:
The Host will not be able to withdraw ether and funds will stuck forever.
Proof of Concept:
function test_modifiedWithdraw() public {
vm.deal(user1, 1e18);
vm.prank(user1);
(bool sent1, ) = address(cd).call{value: 1e18}("");
address host2 = cd.getHost();
vm.prank(host2);
cd.withdraw();
vm.expectRevert();
assertEq(host2.balance, 1e18);
}
Recommended Mitigation:
function withdraw() external onlyHost {
address _host = getHost();
...
+ (bool sent,) = _host.call{value: address(this).balance}("");
+ require(sent, "transfer failed");
}
Updates
Lead Judging Commences
0xtimefliez 11 months ago
Submission Judgement Published Assigned finding tags:
withdraw function lacks functionality to send ether
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.