Protocol will not be able to withdraw Funds from sale of RAACNFT due to Missing Withdrawal Function
Summary
The RAACNFT.sol contract does not provide a function to withdraw the ERC20 tokens collected during the minting process. As a result, all funds transferred to the contract remain permanently locked, making them inaccessible.
Vulnerability Details
The root cause of this issue is the lack of a function that allows the contract owner (or any authorized entity) to withdraw ERC20 tokens accumulated in the contract.
During the minting process, the contract collects ERC20 tokens from users:
However, there is no function in the contract that allows these funds to be withdrawn. Typically, a function should exist to allow the contract owner to retrieve the collected funds. Since such a function is missing, any ERC20 tokens received during minting will remain stuck in the contract indefinitely.
Impact
The funds collected from users during minting cannot be accessed or used for protocol operations.
The project team is unable to utilize the revenue from NFT sales.
Tools Used
Manual code review
Recommendations
A withdrawal function should be added to allow the contract owner to retrieve the collected ERC20 tokens.
Lead Judging Commences
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.