Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing ETH Withdrawal Functionality in WeatherNFT Contract Leads to Fund Locking Risk

20162020lxm

Summary

The WeatherNFT contract receives ETH payments for NFT minting but lacks any withdrawal functionality. This design flaw could lead to permanent locking of ETH funds in the contract with no recovery mechanism.

Root Cause

The contract implements payable functions that accept ETH (through requestMintWeatherNFT with msg.value) but provides no method to withdraw accumulated ETH. This violates the basic principle that any contract receiving funds should have a controlled withdrawal mechanism.

Internal pre-conditions

Contract accepts ETH payments through requestMintWeatherNFT function
No withdrawal function implemented despite inheriting from ConfirmedOwner
No emergency recovery mechanism for stuck funds
ETH balance tracking is implicit rather than explicit

External pre-conditions

Users send ETH to contract for NFT minting
Contract owner has no way to access accumulated funds
No fallback or recovery mechanism exists

Attack Path

Users mint NFTs by sending ETH to contract
ETH accumulates in contract balance
Contract owner cannot access funds for:
- Project development
- Revenue sharing
- Operational expenses
Funds remain permanently locked in contract

Impact

Permanent loss of project funds
Inability to utilize revenue for project maintenance
Violation of financial transparency expectations
Potential legal/compliance issues regarding unaccessible funds
Loss of trust from investors and users

PoC

Deploy WeatherNFT contract
Mint multiple NFTs by sending ETH
Verify ETH balance grows in contract
Attempt to withdraw ETH as owner (will fail)
Confirm funds are permanently locked

Mitigation

Implement owner-controlled withdrawal function:

function withdrawETH(address payable recipient) external onlyOwner {

uint256 balance = address(this).balance;

require(balance > 0, "No ETH balance");

(bool success, ) = recipient.call{value: balance}("");

require(success, "Transfer failed");

}

Add withdrawal event logging:

event ETHWithdrawn(address indexed recipient, uint256 amount);

Consider implementing:
- Withdrawal limits
- Multi-signature requirements
- Timelock for large withdrawals
- Emergency pause functionality
Follow best practices:
- Explicit ETH balance tracking
- Regular fund sweeping
- Transparent withdrawal policies

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.