Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Withdrawal Mechanism for Ether and Tokens

osuolale

Summary

The contract accumulates Ether or Tokens from buy orders as fees, but there's no dedicated function to withdraw these funds. Tokens sent to the contract by mistake or outside the intended mechanisms are also locked.

Vulnerability Details

After the contract makes money through fees, there's no way to withdraw that, making it losing access to the funds

Impact

The absence of a withdrawal mechanism can lead to the following issues:

1. Loss of Funds:

Accumulated Ether from buy orders and transaction fees are locked in the contract, making them inaccessible to the contract owner or team. This could result in a loss of revenue or funds that are critical for operations.

Trapped Tokens:

2. Tokens sent to the contract accidentally or as part of an incorrect transaction remain permanently locked. This could include user assets mistakenly sent to the contract.

Operational Hindrance:

3. Without the ability to recover funds, the contract owner may face challenges in managing operational expenses or redistributing fees as intended.

Negative User Experience:

4. Users who mistakenly send tokens or Ether to the contract may lose their assets permanently, which could lead to dissatisfaction and a loss of trust in the system.

Tools Used

Manual Review

Recommendations

Implement a withdrawFees() function for Ether and a withdrawERC20() function for tokens as suggested in previous responses.

Code Snippet:

```solidity

// Example of how to add withdrawal functions

function withdrawFees() public onlyOwner {

uint256 balance = address(this).balance;

require(balance > 0, "No Ether to withdraw");

(bool success, ) = payable(owner()).call{value: balance}("");

require(success, "Withdrawal failed");

}

function withdrawERC20(address tokenAddress) public onlyOwner {

IERC20 token = IERC20(tokenAddress);

uint256 balance = token.balanceOf(address(this));

require(balance > 0, "No tokens to withdraw");

bool success = token.transfer(owner(), balance);

require(success, "Transfer failed");

}

```

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Token misshandling

The extra eth sent by the user in the buy order will be locked in the contract forever

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.