DeFiFoundry
50,000 USDC
View results
Submission Details
Severity: high
Invalid

Title: Unauthorized Withdrawals Due to Missing Access Control

Summary

The withdraw function is callable by anyone, allowing unauthorized users to withdraw funds from the contract. This introduces a major security risk where an attacker can drain users' funds.

Vulnerability Details

  • The function does not have an access control mechanism (onlyOwner or onlyDepositor) to restrict withdrawals to the rightful owner of the deposit.

  • The check EnumerableSet.contains(userDeposits[msg.sender], depositId) == false only ensures the caller has a deposit, but an attacker can still call the function and withdraw funds to any recipient.

Impact

  • Loss of User Funds: Malicious actors can withdraw other users’ deposits, leading to theft of funds.

  • Exploitation Risk: Since the function lacks proper restrictions, attackers can repeatedly exploit this to drain assets.

Tools Used

  • Manual Code Review

  • Solidity Static Analysis

Recommendations

  • Require that msg.sender is the owner of the deposit before allowing withdrawals:

    require(depositInfo[depositId].owner == msg.sender, "Not the deposit owner");
  • Alternatively, use a modifier such as:

    modifier onlyDepositor(uint256 depositId) {
    require(depositInfo[depositId].owner == msg.sender, "Not the deposit owner");
    _;
    }

    and apply it to the function:

    function withdraw(address recipient, uint256 depositId) public payable nonReentrant onlyDepositor(depositId) { ... }
  • Ensure recipient validation prevents unauthorized fund transfers.

This is a high-severity issue as it can lead to total fund loss if exploited.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.