Christmas Dinner

First Flight #31

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

There is no Ether withdrawal mechanism, so the host cannot withdraw the ETH deposited by the user

purpledragon

Summary

A high-severity vulnerability exists in the ChristmasDinner smart contract, which prevents the host from withdrawing Ether (ETH) deposited by participants for joining the event. Although the contract allows the withdrawal of ERC20 tokens, there is no equivalent mechanism to withdraw Ether, resulting in all Ether deposits being permanently locked in the contract. This issue undermines the core functionality of the protocol and can lead to significant financial losses.

Vulnerability Details

Component: ChristmasDinner smart contract
Bug Description:
- Participants can deposit Ether to the contract using the receive() function. The deposited Ether is recorded in the etherBalance mapping for each participant.
- While the contract includes a withdraw() function to transfer ERC20 tokens (e.g., WBTC, WETH, USDC) to the host, there is no functionality to withdraw the Ether balance accumulated in the contract.
- As a result, all Ether deposited by participants becomes inaccessible, rendering the funds permanently stuck in the contract.
Root Cause: The contract does not include logic for transferring Ether (address(this).balance) to the host in the withdraw() function or any other mechanism.
Code Snippet:
The absence of Ether handling in the withdraw() function:

function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
// Missing: No Ether transfer logic
}

Impact

Effects:
1. All Ether deposited by participants is permanently locked in the contract.
2. The host cannot access these funds, preventing the protocol from using them for its intended purpose (facilitating the event).
3. Loss of participant funds and disruption of protocol functionality.
4. Erosion of user trust in the protocol due to locked funds.

Recommendation

To fix this vulnerability, the withdraw() function should be updated to include logic for transferring all Ether held by the contract to the host. Below is the recommended fix:

Updated withdraw() Function:

function withdraw() external onlyHost {

address _host = getHost();

// Withdraw ERC20 tokens

i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));

i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));

i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));

// Withdraw Ether

uint256 contractBalance = address(this).balance; // Get contract's Ether balance

if (contractBalance > 0) {

payable(_host).transfer(contractBalance); // Transfer all Ether to the host

}

Conclusion

This high-severity vulnerability significantly impacts the functionality of the ChristmasDinner contract by locking Ether deposits indefinitely. By implementing the recommended fix, the protocol can restore its ability to handle Ether deposits and withdrawals, ensuring smooth operation and safeguarding user funds.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

withdraw function lacks functionality to send ether

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.