Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Absence of Emergency Withdrawal Mechanism in TokenDivider Contract

0xadwa

Summary

The contract currently lacks an emergency withdrawal mechanism for the owner or users in case of unforeseen issues, such as contract malfunction or a failed transaction. Without this mechanism, funds or assets could become locked in the contract and inaccessible.

Vulnerability Details

If an issue arises with the contract (e.g., a bug or malicious exploit), users or the owner would not be able to retrieve their funds or NFTs. This could lead to loss of assets, especially if the contract interacts with external systems and relies on ERC20 or ERC721 tokens.

Impact

The absence of an emergency withdrawal function exposes the contract to potential risks if it encounters a critical issue, such as a contract bug, misbehavior, or malicious exploit. Without this feature, users or the contract owner would be unable to recover their tokens or assets in case the contract becomes compromised or encounters a fatal error.

Tools Used

Recommendations

Add a function allowing the owner to withdraw ERC20 and ERC721 tokens in case of emergency. This function would give the contract owner the ability to retrieve locked tokens, mitigating the risk of funds being stuck in the contract.

function emergencyWithdrawERC20(address token, uint256 amount) external onlyOwner {

require(IERC20(token).transfer(msg.sender, amount), "Transfer failed");

}

function emergencyWithdrawERC721(address nftAddress, uint256 tokenId) external onlyOwner {

IERC721(nftAddress).safeTransferFrom(address(this), msg.sender, tokenId);

}

// Emergency withdrawal of Ether (ETH)

function emergencyWithdrawEther(uint256 amount) external onlyOwner {

require(address(this).balance >= amount, "Insufficient Ether balance");

// Transfer Ether to the owner's address

(bool success, ) = msg.sender.call{value: amount}("");

require(success, "Transfer failed");

}

Updates

Lead Judging Commences

fishy Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Token misshandling

The extra eth sent by the user in the buy order will be locked in the contract forever

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.