Summary
The withdraw
function is callable by anyone, allowing unauthorized users to withdraw funds from the contract. This introduces a major security risk where an attacker can drain users' funds.
Vulnerability Details
The function does not have an access control mechanism (onlyOwner
or onlyDepositor
) to restrict withdrawals to the rightful owner of the deposit.
The check EnumerableSet.contains(userDeposits[msg.sender], depositId) == false
only ensures the caller has a deposit, but an attacker can still call the function and withdraw funds to any recipient
.
Impact
Loss of User Funds: Malicious actors can withdraw other users’ deposits, leading to theft of funds.
Exploitation Risk: Since the function lacks proper restrictions, attackers can repeatedly exploit this to drain assets.
Tools Used
Manual Code Review
Solidity Static Analysis
Recommendations
Require that msg.sender
is the owner of the deposit before allowing withdrawals:
Alternatively, use a modifier such as:
and apply it to the function:
Ensure recipient validation prevents unauthorized fund transfers.
This is a high-severity issue as it can lead to total fund loss if exploited.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.