Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-1] `ChristmasDinner::withdraw` has Missing ETH Withdraw Logic

zabid

Summary

The withdraw function does not include logic for withdrawing Ether that has been sent to the contract through the receive() function. As a result, any Ether deposited will remain locked in the contract with no way for the host to withdraw it.

Vulnerability Details

  1. A participant sends Ether to the contract.

  2. The host calls the withdraw function.

  3. Ether remains locked in the contract, as there is no logic to handle its withdrawal.

Impact

Locked Ether funds reduce the utility of the contract, as the host cannot access them, leading to operational inefficiencies and user dissatisfaction.

Tools Used

Manual Review

Recommendations

Add Ether withdrawal logic in the withdraw function, such as:

function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
+ (bool success, ) = _host.call{value: address(this).balance}("");
+ require(success, "Ether transfer failed");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw function lacks functionality to send ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.