M-1: Missing Admin Ether Withdrawal Function — Ether Locked in Contract
Missing Admin Ether Withdrawal Function — Ether Locked in Contract
Description
The WeatherNft contract contains the requestMintWeatherNFT function, marked payable, allows users to send Ether when minting a Dynamic Weather NFT. The minting fee (s_currentMintPrice) increases with each call, meaning the contract can accumulate a significant Ether balance over time.
However, the contract lacks a function that allows the owner or admin to withdraw the collected Ether. As a result, all Ether sent to the contract remains permanently locked unless a withdrawal mechanism is implemented. This limits the contract's usability and control for its owner.
Risk
Ether locked in a contract—inability for the contract owner to retrieve accumulated Ether.
Likelihood:
-
No attacker can exploit this directly — the loss is to the contract owner/admin due to inaccessible funds.
-
If the contract becomes popular, more Ether gets locked, increasing the financial risk.
Impact:
-
Ether locked in a contract
-
Inability for contract owner to retrieve accumulated Ether.
Recommended Mitigation
IF we add a withdrawal function for the admin, so the admin can call and withdraw the contract balance, then this issue will be solved
Add This function on WeatherNft contract:
Appeal created
Lack of `withdraw` function
The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.