Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Lack of Withdrawal Mechanism in `mint` Function (Locked Funds Risk)

kweks

Description:
The mint function in the contract accepts payments in ERC-20 tokens from users. It transfers the specified _amount of tokens from the user to the contract address to facilitate the minting process. However, the contract lacks a withdrawal mechanism, meaning that the collected funds remain locked within the contract with no way for the owner or an authorized entity to retrieve them.

Impact:

Locked Funds Risk: The contract accumulates ERC-20 tokens without any means to transfer them out, leading to a scenario where the collected funds are inaccessible.
Loss of Revenue: Without a withdrawal function, the project team cannot utilize the collected funds, effectively losing the intended revenue.
Potential Governance Risks: If no upgradeability or ownership controls exist, these funds could be permanently stuck in the contract.

Proof of Concept:

A user calls the mint function with a _tokenId and _amount of ERC-20 tokens.
The contract checks the required price for the _tokenId.
If the _amount is sufficient, the contract transfers _amount of ERC-20 tokens from the user's wallet to the contract address.
The contract mints the NFT and assigns it to the user.
If the _amount exceeds the price, the excess tokens are refunded to the user.
The contract retains the collected ERC-20 tokens without any mechanism to withdraw them.
Over time, the contract accumulates ERC-20 tokens that cannot be accessed, leading to locked funds.

Recommended Mitigation:

Implement a Withdrawal Function: A secure withdrawal function should be added to allow an authorized entity (e.g., the contract owner) to retrieve the accumulated funds. Example implementation:

function withdraw() external onlyOwner {

uint256 balance = token.balanceOf(address(this));

require(balance > 0, "No funds to withdraw");

token.safeTransfer(owner(), balance);

}

Utilize a Treasury or Payment Splitter Contract: Instead of storing the tokens in the NFT contract, they should be sent directly to a designated treasury or revenue-sharing contract for better fund management.
Access Control: Ensure only authorized addresses can call the withdrawal function to prevent unauthorized fund transfers.

By implementing these fixes, the contract will ensure that collected funds remain accessible, preventing revenue loss and governance issues.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!