Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Withdrawal Function for ETH Deposits

bryanconquer

Summary

The contract lacks a dedicated withdrawal function for the ETH deposits made by participants. While _refundETH is a private function called during the refund process, there is no explicit external or public function allowing the contract owner (host) to withdraw all ETH deposited in the contract for event facilitation.

Vulnerability Details

Steps to Reproduce

  1. Deploy the contract.

  2. Send ETH to the contract using the receive() function.

  3. Attempt to withdraw the ETH as the host.

  4. Observe that there is no function available to retrieve the ETH.

Expected Behavior

The contract should provide a withdrawETH function for the host to retrieve ETH deposited by participants.

Impact

Contract Usability Issue: ETH deposits made by participants remain locked in the contract, as there is no mechanism for the host to retrieve these funds.

Tools Used

foundry

Recommendations

Implement a withdrawETH function, similar to the existing withdraw function for token balances, allowing the host to withdraw all ETH held by the contract.

function withdrawETH() external onlyHost {
uint256 contractBalance = address(this).balance;
require(contractBalance > 0, "No ETH to withdraw");
(bool success, ) = host.call{value: contractBalance}("");
require(success, "ETH withdrawal failed");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw function lacks functionality to send ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.