DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Fee Withdrawal Vulnerability Leads to Permanent Fund Locking

teoslaf

Summary

If the withdrawFees transaction fails, the contract updates totalFees to 0 before verifying a successful transfer, leading to a scenario where fees are permanently locked in the contract.

Vulnerability Details

The withdrawFees function first sets totalFees = 0 before attempting to transfer the funds. If the transfer fails (e.g., due to a malicious recipient rejecting ETH transfers), the contract still updates totalFees, making it impossible to withdraw the locked funds in future attempts.

Impact

  • Funds are permanently locked inside the contract.

  • Owners cannot recover fees, leading to potential financial losses.

  • Denial of Service (DoS) risk if an attacker exploits this to prevent withdrawals.

Tools Used

Manual review

Recommendations

Update totalFees only after a successful transfer:

function withdrawFees() external onlyOwner {
require(totalFees > 0, "No fees to withdraw");
uint256 totalFeesToWithdraw = totalFees;
(bool success, ) = payable(owner()).call{value: totalFeesToWithdraw}("");
require(success, "Transfer failed");
totalFees = 0; // Update state only after success
}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Admin is trusted

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.