Lack of Token Withdrawal Mechanism in RAACNFT Contract
Summary
The RAACNFT Contract allows users to mint NFTs by depositing ERC-20 tokens. While the contract refunds excess tokens during the minting process, it does not provide a mechanism to withdraw accumulated tokens that remain in the contract, leading to potential inefficiencies.
Vulnerability Details
The contract facilitates NFT minting by transferring ERC-20 tokens from users to the contract. However, any unclaimed or accumulated tokens remain in the contract without a way to be recovered or utilized.
Key Observations:
-
The
mintfunction correctly refunds excess deposits but does not handle the accumulation of unclaimed tokens. -
There is no function for the contract owner to withdraw unused ERC-20 tokens.
-
Over time, the contract may accumulate tokens without a clear mechanism for retrieval.
Impact
-
Unclaimed Token Accumulation: Tokens that are not refunded during minting or are left unused in the contract become inaccessible.
-
Contract Inefficiency: The contract may hold a growing balance of ERC-20 tokens with no intended use, reducing its effectiveness.
Tools Used
Manual code review
Recommendations
To prevent the permanent accumulation of tokens, implement the following:
1. Withdraw Function for Owner: Allow the contract owner to withdraw unused ERC-20 tokens.
Lead Judging Commences
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.