Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

M-2: Host Can Withdraw Funds Before Deadline

andrekkr

Summary

The withdraw function in the contract allows the host to withdraw all tokens and Ether held in the contract. However, the logic does not check whether the deadline has passed before allowing the host to withdraw funds. If the host executes this function prematurely (before the deadline), it could prevent users from retrieving their funds in case they decide to withdraw.

Vulnerability Details

Root Cause: The original implementation of the withdraw function does not validate whether the current time (block.timestamp) is past the specified deadline before allowing the host to withdraw funds. This omission enables the host to prematurely drain the contract, locking user funds.

Expected Behavior: The host should only be able to withdraw funds after the deadline has passed, ensuring that users have enough time to withdraw their funds if needed.
Current Behavior: Without the deadline check, the host can execute the withdraw function at any time, causing a conflict if users attempt to reclaim their funds.

Impact

The absence of the deadline check can lead to the following issues:

Premature Withdrawal: The host can withdraw all funds from the contract before the deadline, potentially resulting in users being unable to retrieve their contributions.
Loss of Trust: This behavior undermines the trustworthiness of the contract, as it violates the expected conditions for fund management.
User Fund Lock: If funds are withdrawn prematurely, users attempting to reclaim their funds may encounter errors, causing dissatisfaction and potential legal disputes.

Tools Used

Recommendations

Enforce Deadline Validation: Ensure that the withdraw function includes a check to validate that block.timestamp is greater than the deadline:

if (block.timestamp <= deadline) {

revert DeadlineNotReached();

}

PoC

The following test demonstrates the vulnerability where the host can withdraw funds before the deadline, potentially leading to issues when a participant attempts to refund their deposit:

function test_tryResettingDeadlineAsHost() public {

uint256 amount = 2 ether;

// User1 deposits funds into the contract

vm.startPrank(user1);

ERC20Mock(weth).mint(user1, amount);

ERC20Mock(weth).approve(address(cd), amount);

cd.deposit(address(weth), amount, user1);

vm.stopPrank();

// Host sets the deadline and withdraws funds before it ends

vm.startPrank(deployer);

cd.setDeadline(8 days);

cd.withdraw();

vm.stopPrank();

// User1 attempts to refund after withdrawal, resulting in a failure

vm.startPrank(user1);

cd.refund();

vm.stopPrank();

}

When executing the test, the following failure occurs:

FAIL: ERC20InsufficientBalance(0x8Ad159a275AEE56fb2334DBb69036E9c7baCEe9b, 0, 2000000000000000000 [2e18])

This failure occurs because the host prematurely withdrew funds, leaving the contract without sufficient balance to process refunds.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

withdraw is callable before deadline ends

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.