Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The `WeatherNft` contract includes a payable function but does not implement a mechanism to withdraw the received Ether

arinthal

Root + Impact

Description

  • The WeatherNft::requestMintWeatherNFT function has payable modifier and requires sending Ether to mint an NFT. The required payment increases with the number of tokens already minted.

  • The WeatherNft contract does not include any function for withdrawing Ether, so all funds paid for minted tokens remain locked in the contract.

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
@> ) external payable returns (bytes32 _reqId) {
// rest of the function code
}

Risk

Likelihood and Impact:

  • All Ether paid by users for minted tokens will remain permanently locked in the contract.

Recommended Mitigation

Add a withdrawal function that can only be executed by the contract owner. For example:

+ function withdraw() external OnlyOwner {
+ uint256 amount = address(this).balance;
+ require(amount > 0, "No funds to withdraw");
+ (bool success, ) = msg.sender.call{value: amount}("");
+ require(success, "Failure! Ether not sent!");
+ }
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.