Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

No ETH Withdrawal Mechanism in WeatherNft Contract

bryanconquer

Root + Impact

No withdraw mechanism, funds are eth sent to the contract are stucked.

Description

The WeatherNft contract accepts ETH payments via the requestMintWeatherNFT payable function but lacks any function or mechanism to withdraw, forward, or utilize the collected ETH. As a result, all ETH sent to the contract becomes permanently locked and inaccessible.

Users are required to send ETH equal to s_currentMintPrice to mint a weather NFT.

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId)
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);


Risk

Likelihood: This wil happen every time there is a request to mint nft

Impact:

There is no function provided for the owner to withdraw or forward these ETH funds.

  • There is no logic to transfer ETH to a treasury or beneficiary address.

  • The contract could accumulate ETH over time, leading to locked funds.



Recommended Mitigation

Implement a secure withdrawal or ETH forwarding mechanism

address public treasury;
function setTreasury(address _treasury) external onlyOwner {
treasury = _treasury;
}
function withdrawETH() external onlyOwner {
require(treasury != address(0), "Treasury not set");
payable(treasury).transfer(address(this).balance);
}
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.