Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Vulnerability in `ChristmasDinner:withdraw:` Host unable to withdraw all funds

s4bot3ur

Summary

  • According to the intended role of the host, they should be able to withdraw all the Ether and tokens in the contract. However, the withdraw function is currently transferring only the tokens, leaving all the native Ether within the contract. This prevents the host from withdrawing any Ether as expected.

Impact

  • This vulnerability prevents the host from withdrawing native ETH from the contract. In a scenario where 80% of the funds are transferred as native ETH, the host would be unable to access these funds. As a result, the host would need to use their own money to cover the expenses required to conduct the event.

ProofOfConcept

  • The below code is the POC

function test_POC_Host_Unable_To_Withdraw_Native_Eth()public{
_makeParticipants();
startHoax(user1);
cd.deposit(address(usdc),2e18);
cd.deposit(address(weth),2e18);
cd.deposit(address(wbtc),2e18);
address(cd).call{value : 1e18}("");
startHoax(user2);
cd.deposit(address(usdc),2e18);
cd.deposit(address(weth),2e18);
cd.deposit(address(wbtc),2e18);
address(cd).call{value : 1e18}("");
startHoax(user3);
cd.deposit(address(usdc),2e18);
cd.deposit(address(weth),2e18);
cd.deposit(address(wbtc),2e18);
address(cd).call{value : 1e18}("");
vm.warp(100);
vm.startPrank(deployer);
console.log("Starting Natie ETH Balance of deployer :",deployer.balance);
console.log("Starting USDC Balance of deployer :",usdc.balanceOf(deployer));
console.log("Starting WETH Balance of deployer :",weth.balanceOf(deployer));
console.log("Starting WBTC Balance of deployer :",wbtc.balanceOf(deployer));
cd.withdraw();
console.log("Ending Natie ETH Balance of deployer :",deployer.balance);
console.log("Ending USDC Balance of deployer :",usdc.balanceOf(deployer));
console.log("Ending WETH Balance of deployer :",weth.balanceOf(deployer));
console.log("Ending WBTC Balance of deployer :",wbtc.balanceOf(deployer));
console.log("Native ETH balance in ChristmasDinner after withdraw by host :",address(cd).balance);
}

  • Add the above code in ChristmasDinnerTest.t.sol:ChristmasDinnerTest

  • shell forge test --match-test test_POC_Host_Unable_To_Withdraw_Native_Eth -vv

  • You will get output as following

    • Starting Natie ETH Balance of deployer : 0

    • Starting USDC Balance of deployer : 0

    • Starting WETH Balance of deployer : 0

    • Starting WBTC Balance of deployer : 0

    • Ending Natie ETH Balance of deployer : 0

    • Ending USDC Balance of deployer : 6000000000000000000

    • Ending WETH Balance of deployer : 6000000000000000000

    • Ending WBTC Balance of deployer : 6000000000000000000

    • Native ETH balance in ChristmasDinner after withdraw by host : 13000000000000000000

Tools Used

  • Foundry

Recommendations

function withdraw() external onlyHost {
address _host = getHost();
+ (bool check1,)=_host.call{value: address(this).balance}("");
+ require(check1,"Host Native ETH withdraw failed");
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw function lacks functionality to send ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.