No Withdrawal Function for Stuck ERC20 Tokens
Summary
In the mint function in RAACNFT.sol The contract receives ERC20 tokens but has no function to withdraw them. This means the contract owner cannot remove funds, causing permanent loss of tokens inside the contract.
Vulnerability Details
Impact
The contract owner cannot remove funds
Permanent loss of tokens inside the contract
Attack Scenario:
Users continuously mint NFTs, sending ERC20 tokens to the contract.
Since there's no function to withdraw tokens, the funds remain stuck.
If the owner needs the funds for operational expenses or liquidity management, they cannot access them.
Proof of Concept (PoC)
Scenario: Contract Accumulates ERC20 Tokens
mint(1, 100); // User transfers 100 ERC20 tokens
mint(2, 150); // Another user transfers 150 ERC20 tokens
// Contract balance now holds 250 tokens, but...````// There is no function to withdraw them.
Now, all ERC20 tokens are permanently locked, making it impossible for the contract to use or distribute them.
Tools Used
manual review
Recommendations
Add a withdraw function to allow the owner to retrieve ERC20 tokens
}
Lead Judging Commences
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.