## [H-1] Host can withdraw funds before event deadline
### Summary
The contract allows the host to withdraw all ERC20 tokens at any time, even before the deadline is set or reached, breaking the core functionality of the Christmas dinner coordination mechanism.
### Vulnerability Details
In the `withdraw()` function, there is no validation check against the deadline:
```solidity
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
```
The function only checks if the caller is the host but fails to verify if the deadline has passed.
### Impact
- Critical: Users can lose all their deposited funds
- Host can drain contract immediately after user deposits
- Breaks the trust and timing mechanism of the contract
- No guarantee that the Christmas dinner event will occur
### Tools Used
- Foundry for testing and exploitation
- Manual code review
- Test snippet demonstrating the vulnerability:
```solidity
function test_prematureWithdraw() public {
// Setup
vm.startPrank(user1);
weth.mint(user1, 1 ether);
weth.approve(address(dinner), 1 ether);
dinner.deposit(address(weth), 1 ether);
vm.stopPrank();
// Exploit: Host withdraws before deadline
vm.prank(host);
dinner.withdraw();
assertEq(weth.balanceOf(host), 1 ether);
assertEq(weth.balanceOf(address(dinner)), 0);
}
```
### Recommendations
1. Add deadline validation to the withdraw function:
```solidity
function withdraw() external onlyHost {
require(block.timestamp > deadline, "Cannot withdraw before deadline");
require(deadlineSet, "Deadline not set");
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}
```