Submission Details
Severity:
Contract `WeatherNft` has payable functions, but not have a withdraw mechanism
Contract WeatherNft has payable functions, but not have a withdraw mechanism
Description:
The WeatherNft contract include the requestMintWeatherNFT() payable function but haven't a mechanism for withdrawing the collected minting funds , leaving them locked in the contract.
Impact:
Funds collected through payable functions cannot be accessed, leading a financial loss to the contract owner.
function requestMintWeatherNFT(string memory _pincode, string memory _isoCode, bool _registerKeeper, uint256 _heartbeat, uint256 _initLinkDeposit)
external
@> payable
returns (bytes32 _reqId)
{
require(msg.value == s_currentMintPrice, WeatherNft__InvalidAmountSent());
s_currentMintPrice += s_stepIncreasePerMint;
if (_registerKeeper) {
addressToLinkDeposit[msg.sender] = _initLinkDeposit;
IERC20(s_link).safeTransferFrom(msg.sender, address(this), _initLinkDeposit);
}
_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);
emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);
s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({
user: msg.sender,
pincode: _pincode,
isoCode: _isoCode,
// e - using a keeper or not
registerKeeper: _registerKeeper,
heartbeat: _heartbeat,
initLinkDeposit: _initLinkDeposit
});
}
Recommended Mitigation:
Add a onlyOwner withdraw function:
.
.
// functions
+ function withdraw() external onlyOwner {
+ uint256 balance = address(this).balance;
+ require(balance > 0, "No ETH to withdraw");
+ (bool success, ) = msg.sender.call{value: balance}("");
+ require(success, "Withdraw failed");
+ }
function updateFunctionsGasLimit(uint32 newGaslimit) external onlyOwner {
s_functionsConfig.gasLimit = newGaslimit;
}
function updateSubId(uint64 newSubId) external onlyOwner {
s_functionsConfig.subId = newSubId;
}
function updateSource(string memory newSource) external onlyOwner {
s_functionsConfig.source = newSource;
}
function updateEncryptedSecretsURL(bytes memory newEncryptedSecretsURL) external onlyOwner {
s_functionsConfig.encryptedSecretsURL = newEncryptedSecretsURL;
}
.
.
Updates
Appeal created
bube 4 months ago
Submission Judgement Published Assigned finding tags:
Lack of `withdraw` function
The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.
Rewards breakdown
nSLOC
236This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.